topic Re: Maximum layers support 231 in Firewall and Security Management

Maximum layers support 231

dehaasm — Wed, 15 Mar 2023 11:03:05 GMT

We currently use more then 231 layers and are unable to install the policy it seems not to be supported.

Are there any ways to increase this value perhaps in R81.20 or perhaps on the roadmap?

Re: Maximum layers support 231

PhoneBoy — Wed, 15 Mar 2023 18:27:05 GMT

I thought this limit was higher (251), but this goes back to R80.10.
The current limit appears to be 231: https://support.checkpoint.com/results/sk/sk171551

In the last several years, this question has come up only a few times.
That leads me to believe few customers actually encounter this limit.
Therefore, I'm not sure there are any specific plans to increase it.

What is the precise use case for this many layers?

Re: Maximum layers support 231

dehaasm — Wed, 15 Mar 2023 19:05:23 GMT

The use case is basically to divide the policies into specific flows, for example each partner has its own layer, user flows to specific vlans/security domains have dedicated layers, application flow for each environment (DEV, TEST, QA and PROD) have specific layers. Within each layer a customer can easily go into blocking more for the specific layer/traffic flow. It also makes the policy very organized like a explorer folder structure.

I agree it is perhaps a lot of layers but I don't understand what would be the technical limitation on the system, i guess something that could be easily extended to lets say 1000.

Re: Maximum layers support 231

PhoneBoy — Wed, 15 Mar 2023 19:19:26 GMT

Seems like a sensible approach to me.
Tagging @Tomer_Noy for visibility of this interesting use case.

I could see there being limits in both the gateway and the management related to this, making it a less simple matter to increase the limit.
Recommend approaching your local Check Point office with this RFE.

Re: Maximum layers support 231

dehaasm — Wed, 15 Mar 2023 19:22:49 GMT

We are able to create more than 231 layers on the SMS without an issue, it seems that the gateway does not allow it and therefor does not load the policy with installation error. Sure we can contact our local SE contact to consider this and address a RFE.

Re: Maximum layers support 231

Tomer_Noy — Wed, 15 Mar 2023 20:43:59 GMT

The layer number limitation is indeed on the gateway side. Adding @Nachum_Moshe for visibility.

An RFE is probably a good way to promote such a request.

Re: Maximum layers support 231

Peter_Thome — Wed, 15 Nov 2023 15:02:43 GMT

Is there a way to get the number of layers in use in a policy Package without counting manually ?

KR, Peter

Re: Maximum layers support 231

Alex- — Wed, 15 Nov 2023 17:42:15 GMT

ACL=$(mgmt_cli -r true show-access-layers -f json | jq -r '.total');TPL=$(mgmt_cli -r true show-threat-layers -f json | jq -r '.total');HIL=$(mgmt_cli -r true show-https-layers -f json | jq -r '.total');echo "$ACL Access layers, $TPL Threat Prevention layers, $HIL HTTPS Inspection layers. "; echo -e "Total $(expr $ALC + $TPL + $HIL)"

Re: Maximum layers support 231

PhoneBoy — Wed, 15 Nov 2023 17:40:20 GMT

We don't provide a mechanism that gives you a direct count of the number of layers in use in a given policy package.

It is possible to programmatically count the number of layers in use via the API.
Start with the policy package in use: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-package~v1.9%20
This will list the top-level policy layers in use for both Access Policy and Threat Prevention.

Most likely it is the Access Policy where you are using a number of layers...and most likely they are inline layers.
These will not be listed directly via show-package, they must be found through parsing the individual rules in the layer, which will have the action "Apply Layer" if an inline-layer is used.
See: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-access-rulebase~v1.9%20

Re: Maximum layers support 231

PhoneBoy — Wed, 15 Nov 2023 17:43:00 GMT

That will only give you the number of top-level "Ordered" layers.
To find the inline layers in use, you will have to parse the policy layer(s) involved.

Re: Maximum layers support 231

Alex- — Wed, 15 Nov 2023 19:58:03 GMT

I have an SMS with only inline layers in the Access policies and no ordered layer and with the show-x-layers I see them all in the JSON output with show-x-layers.

[Expert@SomeSMS:0]# ACL=$(mgmt_cli -r true show-access-layers -f json | jq -r '.total');TPL=$(mgmt_cli -r true show-threat-layers -f json | jq -r '.total');HIL=$(mgmt_cli -r true show-https-layers -f json | jq -r '.total');echo "$ACL Access layers, $TPL Threat Prevention layers, $HIL HTTPS Inspection layers. "; echo -e "Total $(expr $ACL + $TPL + $HIL)"

41 Access layers, 8 Threat Prevention layers, 1 HTTPS Inspection layers.
Total 50

Re: Maximum layers support 231

PhoneBoy — Wed, 15 Nov 2023 17:59:41 GMT

This shows you the number of layers you've defined across your SMS.
It doesn't tell you how many of those layers are being used in a given policy package (which is where the limit comes into play).
However, this is useful none the less.

Re: Maximum layers support 231

Alex- — Wed, 15 Nov 2023 18:01:39 GMT

You're absolutely right, I stand corrected.