https://community.checkpoint.com/t5/Firewall-and-Security-Management/Network-amp-Application-policy/m-p/197774#M36952 <P>Hello,</P><P>On the checkpoint how network policy and application work? Is the network policy will take precedence&nbsp; than application policy?</P><P>On the network policy i have 2 rule (CP1 picture) :</P><UL><LI>Rule number 17 INTERNET_DC_VLAN301 is to allowing some server under VLAN301 accessing to the internet</LI><LI>Rule number 18&nbsp;DC_VLAN301 is to drop rest the server under VLAN301</LI></UL><P><SPAN>On the application policy i have rule to allowing all servers (all hosts under DC_VLAN301) access to some specific application such as sophos-update.</SPAN></P><P>With both policy only hosts under group&nbsp;INTERNET_DC_VLAN301 can access to sophos-update even on the source on the application policy set to DC_VLAN301 which contains all host under subnet 301 (10.103.248.0/24)</P><P>So i want to know how to make network policy and application policy can work together?</P> Mon, 13 Nov 2023 03:29:52 GMT handiansudianto 2023-11-13T03:29:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Network-amp-Application-policy/m-p/197774#M36952 <P>Hello,</P><P>On the checkpoint how network policy and application work? Is the network policy will take precedence&nbsp; than application policy?</P><P>On the network policy i have 2 rule (CP1 picture) :</P><UL><LI>Rule number 17 INTERNET_DC_VLAN301 is to allowing some server under VLAN301 accessing to the internet</LI><LI>Rule number 18&nbsp;DC_VLAN301 is to drop rest the server under VLAN301</LI></UL><P><SPAN>On the application policy i have rule to allowing all servers (all hosts under DC_VLAN301) access to some specific application such as sophos-update.</SPAN></P><P>With both policy only hosts under group&nbsp;INTERNET_DC_VLAN301 can access to sophos-update even on the source on the application policy set to DC_VLAN301 which contains all host under subnet 301 (10.103.248.0/24)</P><P>So i want to know how to make network policy and application policy can work together?</P> Mon, 13 Nov 2023 03:29:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Network-amp-Application-policy/m-p/197774#M36952 handiansudianto 2023-11-13T03:29:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Network-amp-Application-policy/m-p/197778#M36954 <P>With ordered layers traffic must match (accept) in both layers to be allowed, please refer:</P> <P><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topics-SECMG/Ordered-Layers-and-Inline-Layers.htm" target="_blank" rel="noopener">Ordered Layers and Inline Layers (checkpoint.com)</A></P> <P>&nbsp;</P> Mon, 13 Nov 2023 08:15:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Network-amp-Application-policy/m-p/197778#M36954 Chris_Atkinson 2023-11-13T08:15:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Network-amp-Application-policy/m-p/197854#M36975 <P>You only need to maintain a separate Firewall and App Control policy if you manage any gateways running R77.x (or earlier) code.<BR />Your best bet is to combine them, though that will require manual effort.</P> <P>In general, if you have multiple policy layers, traffic must match an Accept rule in each ordered layer.</P> Mon, 13 Nov 2023 19:16:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Network-amp-Application-policy/m-p/197854#M36975 PhoneBoy 2023-11-13T19:16:42Z