https://community.checkpoint.com/t5/Firewall-and-Security-Management/R80-40-Policy-Layers-change/m-p/119469#M16889 <P>Hi All,</P><P>Apologies in case this comms as general knowledge to some.</P><P>&nbsp;</P><P>I have Checkpoint R80.40 implemented where it has one policy, and this policy under Access Control has separated layers. One layer called Network with Firewall blade selected and one layer called Application with Applications &amp; URL Filtering blade selected.</P><P>This leaves me with two policy section to manage.</P><P>I do see that there is nothing preventing me to update first Layer to include Applications &amp; URL Filtering blade.</P><P>What I am not clear is what would be the consideration to be taken if I do this.</P><P>Would I be required to go about replicating existing Applications &amp; URL Filtering policy after I enable the blade and publish/install the policy on gateways? Or will it still operate in layers as long first one explicitly does not deny something allowed in second layer?</P><P>I am looking at doing consolidation of both blades and minimise policies to manage.</P><P>&nbsp;</P><P>Many Thanks in advance!</P> Wed, 26 May 2021 13:56:13 GMT AigarsK 2021-05-26T13:56:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R80-40-Policy-Layers-change/m-p/119469#M16889 <P>Hi All,</P><P>Apologies in case this comms as general knowledge to some.</P><P>&nbsp;</P><P>I have Checkpoint R80.40 implemented where it has one policy, and this policy under Access Control has separated layers. One layer called Network with Firewall blade selected and one layer called Application with Applications &amp; URL Filtering blade selected.</P><P>This leaves me with two policy section to manage.</P><P>I do see that there is nothing preventing me to update first Layer to include Applications &amp; URL Filtering blade.</P><P>What I am not clear is what would be the consideration to be taken if I do this.</P><P>Would I be required to go about replicating existing Applications &amp; URL Filtering policy after I enable the blade and publish/install the policy on gateways? Or will it still operate in layers as long first one explicitly does not deny something allowed in second layer?</P><P>I am looking at doing consolidation of both blades and minimise policies to manage.</P><P>&nbsp;</P><P>Many Thanks in advance!</P> Wed, 26 May 2021 13:56:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R80-40-Policy-Layers-change/m-p/119469#M16889 AigarsK 2021-05-26T13:56:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R80-40-Policy-Layers-change/m-p/119478#M16892 <P>Two things:</P> <UL> <LI>If you are pushing this policy to any Pre-R80 gateways then you need to maintain the two layers as is (FW only in first layer, App Control in second layer)</LI> <LI>If these layers are only used on R80+ gateways, then you can theoretically merge these layers together.</LI> <LI>The main consideration in either case is to make sure that both layers accept the traffic you wish to pass. By matching a drop rule in either layer, traffic will not pass.</LI> </UL> <P>&nbsp;</P> Wed, 26 May 2021 15:29:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R80-40-Policy-Layers-change/m-p/119478#M16892 PhoneBoy 2021-05-26T15:29:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R80-40-Policy-Layers-change/m-p/119481#M16893 <P>Thanks PhoneBoy,</P><P>My deployment does not contain any Pre-R80.</P><P>I will look at updating layers and duplicating rules from Applications layer.</P> Wed, 26 May 2021 15:35:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R80-40-Policy-Layers-change/m-p/119481#M16893 AigarsK 2021-05-26T15:35:12Z