topic Re: Inline Layer in R80.20 after Migration from R77.30 in Firewall and Security Management

Inline Layer in R80.20 after Migration from R77.30

Daniel_Hainich — Wed, 07 Aug 2019 08:43:51 GMT

Hello,

after migration from R77.30 to R80.20 i want to use inline layers.

can i do an "soft-migration" and add some inline layers?

can i use ordered and inline-layers at the same time?

in maxpower-book i read to not use "any" object. but in R80.20 demo mode, many rules are with any.

so should i avoid any, or is it with inline-layers no problem to use any?

thanks

daniel

Re: Inline Layer in R80.20 after Migration from R77.30

_Val_ — Fri, 09 Aug 2019 09:52:25 GMT

Hi @Daniel_Hainich

Yes, you can migrate as is and later convert some of your rules into sub-layers. We have shown an example of such conversion during one of our TechTalks earlier this year: https://community.checkpoint.com/t5/General-Topics/Migrate-to-R80-20-TechTalk/m-p/22862

Drill to the slides, specifically slides 66-70 are addressing that.

Before @Timothy_Hall can elaborate on your "any" object comment, I have to stress than rulebase order and us of specific objects in the policy has smaller significance with R80.x in comparison to R77.30, because of new rulebase lookup logic.

Re: Inline Layer in R80.20 after Migration from R77.30

Timothy_Hall — Fri, 09 Aug 2019 12:10:15 GMT

Avoiding the use of "Any" in the Destination column of rules is to help optimize the new R80.10+ Column-based Matching feature and reduce rulebase lookup overhead in the F2V path. This recommendation applies for both ordered and inline layers. Using literally anything other than "Any" will help, such as:

A negation of a group object containing all your internal networks to represent the Internet
Object "Internet" in APCL/URLF-enabled layers (but make sure firewall topology is completely and correctly defined)
Security Zone object
Updatable or other Dynamic object

While avoiding "Any" will help in the Destination, Source and Service fields, the Destination column is checked first by Column-based matching thus the recommendation to focus on avoiding "Any" in that column.

Re: Inline Layer in R80.20 after Migration from R77.30

Daniel_Hainich — Fri, 09 Aug 2019 12:13:23 GMT

hello,
thanks for help.
as i understood - any in source column is not a problem. only any in destination and service column?

Re: Inline Layer in R80.20 after Migration from R77.30

Timothy_Hall — Fri, 09 Aug 2019 12:19:26 GMT

"Any" is not a real "problem" as far as functionality or security in any column of a policy layer, for performance optimization purposes though it can be helpful to avoid the use of "Any" primarily in the Destination column.