topic Re: Rules Order in Firewall and Security Management

Rules Order

handiansudianto — Tue, 20 Aug 2024 07:16:32 GMT

Hello,

We have network policy layer and application policy layer. The network policy have higher preference than application policy.

With this scenario i want to know :

If there any incoming traffic matched one of rule set in the network rule, will application policy applied?
How can application policy applied, because the application policy have secondary preference and on the bottom of network rule the is implicit deny? In my mind because in network policy have implicit denied so the application policy will not applied.

Re: Rules Order

_Val_ — Tue, 20 Aug 2024 08:27:25 GMT

If you use network policy and application policy as SEPARATE layers, than yes, application policy will be applied to a specific connection only once the is a matching accept rule in the network policy is found, as shown in the picture:

However, applications can be used as part of the network security policy, with or without inline layers, then the final rulebase match should include applications control.

Re: Rules Order

handiansudianto — Tue, 20 Aug 2024 08:32:40 GMT

Hello,

So when no match network rule for the traffic, this mean the application rule will not applied?

Re: Rules Order

_Val_ — Tue, 20 Aug 2024 08:34:35 GMT

To repeat myself, if you are using these two policies as separate layers, yes. In a general sense, not necessarily.

Re: Rules Order

PhoneBoy — Tue, 20 Aug 2024 15:32:31 GMT

For traffic to pass the gateway, it must match an Accept rule in both the Network and Application layer.
This is how Ordered Layers work.

Re: Rules Order

Bob_Zimmerman — Tue, 20 Aug 2024 16:56:14 GMT

With ordered layers, drop is final. Further layers will not be evaluated. Accept is more like "Continue"; it ends that layer's evaluation, then the next layer gets a chance to drop it.

Re: Rules Order

handiansudianto — Wed, 21 Aug 2024 00:37:32 GMT

Hi, What happen if example host 10.10.10.10 is permitted to the internet by network layer, but we don't have any rule in the application layer?

You say 'it must match an Accept rule in both the Network and Application layer', with above scenario host 10.10.10.10 is not able to reach to the internet due implicit deny on application rule even permitted on network layer?

Re: Rules Order

handiansudianto — Wed, 21 Aug 2024 00:39:16 GMT

Hello,

example i want host 10.10.10.10 is able to connect to youtube only. We create application rule to allow youtube for host 10.10.10.10, what should i fill in the network rule? Should i permit host 10.10.10.10 to any?

Re: Rules Order

Bob_Zimmerman — Wed, 21 Aug 2024 01:33:22 GMT

If you have multiple access layers in the policy package, each layer needs a rule to allow the traffic. There is no single correct way to write these rules.

I am perhaps more cautious than many. I would write the access rule as 10.10.10.10 to a negated group containing all the non-public address space (RFC 1918, test networks, experimental networks, loopback, etc.) via https.

Re: Rules Order

handiansudianto — Wed, 21 Aug 2024 01:40:28 GMT

so the rule will be :

Network Layer :
- source : 10.10.10.10
- Destination : any
- Action : accept
Application Layer :
- source : 10.10.10.10
- destination : any
- service & application : youtube
- action : accept

Can you confirm?

Re: Rules Order

emmap — Wed, 21 Aug 2024 05:42:04 GMT

When a packet doesn't match a rule in a layer, the default action is performed. Assuming this is a policy that was updated from R77 days, the Application layer will have a default 'accept no log' action. This can be set when editing a policy layer.

The reason for the 'accept no log' default is that the Application layer is a legacy concept from R77 days when we had the Firewall policy and the App Control/URL Filtering layer as separate entities. We didn't want to make people configure access twice, so the application layer only does anything if you specifically put a rule in it to match some traffic, else it just lets it through as it must already have been accepted on the Network layer to get that far.

Re: Rules Order

handiansudianto — Wed, 21 Aug 2024 05:51:19 GMT

Hi..

I just realized default action on application rule is accept and not drop.

Ok, application rule will work if there any match traffic from network rule?

Re: Rules Order

emmap — Wed, 21 Aug 2024 07:08:44 GMT

If the connection matches an Accept on the Network layer and nothing on the Application layer, it will pass through the gateway.

Re: Rules Order

handiansudianto — Wed, 21 Aug 2024 07:13:15 GMT

If i have below rule, what do you think?

Host 10.10.10.10 able to any address on internet, or only can access to youtube?

Network Layer :
- source : 10.10.10.10
- Destination : any
- Action : accept
Application Layer :
- source : 10.10.10.10
- destination : any
- service & application : youtube
- action : accept

Re: Rules Order

emmap — Wed, 21 Aug 2024 07:31:50 GMT

They can get anywhere. The Youtube traffic will be inspected by Application control and anything else will match the default action for Application layer.

Re: Rules Order

handiansudianto — Wed, 21 Aug 2024 07:33:38 GMT

So, can you know how to make an rule to allowing host 10.10.10.10 only to youtube?

Re: Rules Order

emmap — Wed, 21 Aug 2024 09:07:39 GMT

Add a rule in the Application policy below the one that allows Youtube that drops everything else.

Also limit the services in the Network layer to only the relevant ports (presumably 80 and 443 for Youtube).

Re: Rules Order

PhoneBoy — Wed, 21 Aug 2024 12:50:05 GMT

That will work.
However, I would restrict the services to http/https and the destinations.
You can use the “ExternalZone” object for the destination easily enough.

Re: Rules Order

handiansudianto — Thu, 22 Aug 2024 00:45:46 GMT

Hi..

Network Layer :
- source : 10.10.10.10
- Destination : any
- Action : accept
- service : http, https
Application Layer :
- source : 10.10.10.10
- destination : any
- service & application : youtube
- action : accept

It's the rule what you mean? I believe with this rule the host 10.10.10.10 can access to anywhere since the destination on network layer set to any. Am i right?

Re: Rules Order

emmap — Thu, 22 Aug 2024 01:16:53 GMT

Yes, they can get anywhere on those services.