https://community.checkpoint.com/t5/Firewall-and-Security-Management/Application-Layer-in-Unified-Policy/m-p/185996#M34221 <P>Questions re unified policies</P> <P>Scenario</P> <P>A new layer is created and Applications &amp; URL Filtering is the ONLY blade selected. The layer is integrated in to an existing access control policy with only the firewall blade enabled.&nbsp;</P> <P>1. Are the access and application layers independent in a unified rule base, in so far as the traffic is not analyzed by the access layer first then proceeds to be analyzed by the application layer (as what occurs when adding an application layer as an additional layer to the access control layer) - and vice versa.</P> <P>2.So assuming the traffic only needs match on either layer to be processed i.e. the first layer the traffic matches on, if I add the application layer near the top of the unified rule base, the parent rule catches the traffic, it drops down in to the layer to be analyzed by the layer sub-rules, it matches on a sub-rule or clean up rule (that has an implicit cleanup action of Accept), the traffic is accepted with no further rule base matching required.&nbsp;</P> <P>I notice the Application &amp; URL Filtering blade does not need to be explicitly enabled on the access layer in the policy general properties. You can still add a separate application layer to the policy and it will work.&nbsp;</P> <P>Regards,</P> <P>Simon&nbsp;</P> <P>&nbsp;</P> Mon, 10 Jul 2023 05:17:48 GMT Simon_Macpherso 2023-07-10T05:17:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Application-Layer-in-Unified-Policy/m-p/185996#M34221 <P>Questions re unified policies</P> <P>Scenario</P> <P>A new layer is created and Applications &amp; URL Filtering is the ONLY blade selected. The layer is integrated in to an existing access control policy with only the firewall blade enabled.&nbsp;</P> <P>1. Are the access and application layers independent in a unified rule base, in so far as the traffic is not analyzed by the access layer first then proceeds to be analyzed by the application layer (as what occurs when adding an application layer as an additional layer to the access control layer) - and vice versa.</P> <P>2.So assuming the traffic only needs match on either layer to be processed i.e. the first layer the traffic matches on, if I add the application layer near the top of the unified rule base, the parent rule catches the traffic, it drops down in to the layer to be analyzed by the layer sub-rules, it matches on a sub-rule or clean up rule (that has an implicit cleanup action of Accept), the traffic is accepted with no further rule base matching required.&nbsp;</P> <P>I notice the Application &amp; URL Filtering blade does not need to be explicitly enabled on the access layer in the policy general properties. You can still add a separate application layer to the policy and it will work.&nbsp;</P> <P>Regards,</P> <P>Simon&nbsp;</P> <P>&nbsp;</P> Mon, 10 Jul 2023 05:17:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Application-Layer-in-Unified-Policy/m-p/185996#M34221 Simon_Macpherso 2023-07-10T05:17:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Application-Layer-in-Unified-Policy/m-p/186023#M34231 <P>If multiple ordered layers are used (regardless of the blades enabled in the different layers), traffic much match an Accept rule in EACH layer to pass.</P> Mon, 10 Jul 2023 12:01:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Application-Layer-in-Unified-Policy/m-p/186023#M34231 PhoneBoy 2023-07-10T12:01:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Application-Layer-in-Unified-Policy/m-p/186040#M34237 <P>As phoneboy said, every ordered layer has to accept traffic, otherwise, it wont work. So, below is perfect example. Say, if what I pointed out is action drop instead of accept, NOTHING would work at all.</P> <P>Andy</P> <P>&nbsp;</P> <P><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topics-SECMG/Ordered-Layers-and-Inline-Layers.htm" target="_blank">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topics-SECMG/Ordered-Layers-and-Inline-Layers.htm</A></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21694i50039FDF8C6B7ECE/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> <P> </P> Mon, 10 Jul 2023 14:43:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Application-Layer-in-Unified-Policy/m-p/186040#M34237 the_rock 2023-07-10T14:43:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Application-Layer-in-Unified-Policy/m-p/186088#M34248 <P>The scenario is a single ordered layer <SPAN>with only the firewall blade enabled,&nbsp;</SPAN>with an inline application layer (only application and url filtering blade enabled) integrated.&nbsp;</P> Mon, 10 Jul 2023 23:48:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Application-Layer-in-Unified-Policy/m-p/186088#M34248 Simon_Macpherso 2023-07-10T23:48:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Application-Layer-in-Unified-Policy/m-p/186099#M34250 <P>In that scenario, the App Control layer will only be evaluated if the parent rule (in a Firewall-only layer) is matched.</P> Tue, 11 Jul 2023 06:16:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Application-Layer-in-Unified-Policy/m-p/186099#M34250 PhoneBoy 2023-07-11T06:16:47Z