https://community.checkpoint.com/t5/Firewall-and-Security-Management/mdps-management-separation-and-management-access-rule/m-p/122055#M17450 <P>It is okay for traffic not destined for the gateway.</P><P>The problem is for traffic destined for the gateway.<BR /><BR />The mgmt rule basically accepts specific traffic to the gateway like ssh for example but if you get a hit in an ordered layer you move to the next ordered layer until you get a drop or until the get to an accept in the last ordered layer, no?<BR /><BR />As far as I understand you can't get an accept in the first ordered layer and stop there<BR /><BR /></P> Thu, 24 Jun 2021 14:55:32 GMT Luis_Miguel_Mig 2021-06-24T14:55:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/mdps-management-separation-and-management-access-rule/m-p/121693#M17369 <P>I am a fan of the mdps feature but I miss the ability to have a policy package dedicated to the management plane and separated from the data plane. Could this be a new feature in the future?<BR /><BR />In the meanwhile, I was wondering if it would make sense to have an ordered layer just dedicated to the management rule and stealth rule.<BR /><BR />I think it could simplify it and be more visual but I was wondering if there could be any drawback.</P> Mon, 21 Jun 2021 09:31:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/mdps-management-separation-and-management-access-rule/m-p/121693#M17369 Luis_Miguel_Mig 2021-06-21T09:31:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/mdps-management-separation-and-management-access-rule/m-p/121943#M17425 <P>In terms of performance, it should make no difference.<BR />It's also an example of where Policy Layers can be useful, though I might personally use an inline layer instead.<BR />Horses for courses, though <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 23 Jun 2021 14:49:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/mdps-management-separation-and-management-access-rule/m-p/121943#M17425 PhoneBoy 2021-06-23T14:49:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/mdps-management-separation-and-management-access-rule/m-p/122041#M17444 <P>Even though I think it is a good idea to have a separate layer for mgmt just for clarity, just realizing that in order to work it would need to be the last order layer and it defeats the purpose because we&nbsp; want the mgmt rule to be matched at the begining.<BR /><BR />I think you are right and I will leave it as an inline layer within the general data plane ordered layer</P> Thu, 24 Jun 2021 14:10:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/mdps-management-separation-and-management-access-rule/m-p/122041#M17444 Luis_Miguel_Mig 2021-06-24T14:10:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/mdps-management-separation-and-management-access-rule/m-p/122050#M17448 <P>If you wanted to do it with ordered layers, why couldn't it be the first one?<BR />That first layer would just have to accept traffic not destined for the gateway.<BR />That said, it might create some issues with logging since, when multiple ordered layers are used, I believe it shows only the rule number in the first layer in the various tables.<BR />That suggests an inline layer is probably the better option.</P> Thu, 24 Jun 2021 14:39:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/mdps-management-separation-and-management-access-rule/m-p/122050#M17448 PhoneBoy 2021-06-24T14:39:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/mdps-management-separation-and-management-access-rule/m-p/122055#M17450 <P>It is okay for traffic not destined for the gateway.</P><P>The problem is for traffic destined for the gateway.<BR /><BR />The mgmt rule basically accepts specific traffic to the gateway like ssh for example but if you get a hit in an ordered layer you move to the next ordered layer until you get a drop or until the get to an accept in the last ordered layer, no?<BR /><BR />As far as I understand you can't get an accept in the first ordered layer and stop there<BR /><BR /></P> Thu, 24 Jun 2021 14:55:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/mdps-management-separation-and-management-access-rule/m-p/122055#M17450 Luis_Miguel_Mig 2021-06-24T14:55:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/mdps-management-separation-and-management-access-rule/m-p/122059#M17452 <P>If you use ordered layers, then the traffic must hit an accept rule in each layer, you are correct.</P> Thu, 24 Jun 2021 15:00:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/mdps-management-separation-and-management-access-rule/m-p/122059#M17452 PhoneBoy 2021-06-24T15:00:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/mdps-management-separation-and-management-access-rule/m-p/122160#M17478 <P>Going back to one of your comments. Why do we show the rule number of the first layer?&nbsp;<BR />The rule that really matters is the rule hit in the last ordered layer, no? It would way more useful if it was that way.</P> Fri, 25 Jun 2021 09:25:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/mdps-management-separation-and-management-access-rule/m-p/122160#M17478 Luis_Miguel_Mig 2021-06-25T09:25:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/mdps-management-separation-and-management-access-rule/m-p/122232#M17486 <P>Why it does this I'm not sure, but that's the behavior I've observed.</P> Fri, 25 Jun 2021 21:52:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/mdps-management-separation-and-management-access-rule/m-p/122232#M17486 PhoneBoy 2021-06-25T21:52:11Z