topic Check point policy base coversion to inline layers in Firewall and Security Management

Check point policy base coversion to inline layers

lmorocz — Wed, 06 Jul 2022 08:40:54 GMT

Hello All,

I've recently used the SmartMove to move rules from ASA to CP.
I saw that it puts rules automatically with inline layers.

Is that a way to do same, like group automatically the rules for an existing Check Point policy base (R80.40)?

Thanks a lot!

Re: Check point policy base coversion to inline layers

Sorin_Gogean — Wed, 06 Jul 2022 10:36:03 GMT

hey,

To make sure I understood this correctly "Is that a way to do same, like group automatically the rules for an existing Check Point policy base (R80.40)? " - you mean you want to move existing ordered layers (R80.40 - it doesn't matter) to in-line layer format in an automated way ?

As we moved from ordered to in-line layer a bit more than a year ago, I can tell you that we did that exercise manually, going over each rule-line from ordered layer policy. (we had from 40 lines to 700 lines in our old rulebase)

By doing that we cleared the "debris" 😁 and checked once again what is allowed and what is not allowed, and other stuff like that.

Doing this exercise once every few years, is a good thing in my opinion.

Ty,

Re: Check point policy base coversion to inline layers

lmorocz — Wed, 06 Jul 2022 13:07:17 GMT

Yes exactly, I would like to move ordered layers to be inlines.
The automatic part would be more like a guideline, then we would overseer the outcome of course.

Re: Check point policy base coversion to inline layers

the_rock — Wed, 06 Jul 2022 13:10:29 GMT

I did this for customers few times with smart move and I can tell you that its so much better when you have inline layers. Its more secure, traffic gets handled much faster. Here is a good example...say, for argument sake, you have 1000 rules in your rulebase and no layers at all, inline or ordered. Well, policy will have to be checked until needed rule is hit, but with layers, if it does not hit whats called "parent rule", then it wont bother checking "child rules" inside that inline layer, will just move to next inline layer and so on, until it hits the right one and if nothing matches, then will hit implicit clean up rule, so traffic handling works way better that way.

Re: Check point policy base coversion to inline layers

PhoneBoy — Wed, 06 Jul 2022 14:09:56 GMT

For existing Check Point policies, not aware of a tool.
We also have not published any guidelines for converting.

If you still have a legacy App Control layer, it’s easy enough to make that an inline layer either by copy paste or converting the ordered layer to an inline one.

Re: Check point policy base coversion to inline layers

Sorin_Gogean — Wed, 06 Jul 2022 14:38:50 GMT

Honestly, just going through them would be the best recommended way from my side, as that is what we did before.

There are several recommendation out there that you can follow, on how to sketch your in-line layer policies.

(I can search them once again and point them to you)

Ty,

Re: Check point policy base coversion to inline layers

lmorocz — Thu, 07 Jul 2022 14:18:09 GMT

Thanks a lot, that's why I have not found anything!
I've thought a way, but I have some questions about it too, will post it as a different after some digging.