topic Re: Best practices for inline layers in Firewall and Security Management

Best practices for inline layers

Eric_Davis — Tue, 21 May 2019 13:51:45 GMT

Hi, we're running R80.10 and would like to start cleaning up our policy that has become cluttered and outdated and inline layers look like they could assist in keeping things organized as we clean up the old clutter but I can't find a lot of info about best practices for them.

Should you try to limit how many inline layers/rules you use in a policy?

Is there a preferred method for crafting the parent rule? Should it be vague and then get more particular with each inline layer rule? Or should the parent rules be crafted very specifically as well?

I've read a few of the threads here on CheckMates and any relevant SK's but was just wondering if there was any specific guidance on the best way to utilize inline layers.

Re: Best practices for inline layers

Nick_Doropoulos — Tue, 21 May 2019 17:46:26 GMT

Hi Eric,

If I were you, I would be reading up on the following:

Best Practices for Access Control Rules
Unified Rule Base Cases

Both sections can be found in the following link:

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SecurityManagement_AdminGuide/html_frameset.htm?topic=documents/R80.10/WebAdminGuides/EN/CP_R80.10_SecurityManagement_AdminGuide/136972&anchor=o137050

I hope this helps.

Re: Best practices for inline layers

PhoneBoy — Thu, 23 May 2019 01:11:08 GMT

I wouldn’t nest inline layers more than 3 or 4 deep. Top-Level rules should be fairly generic but there are use cases when a specific rule at the top might be useful.

Also think "reusable policies" with layers. For example, you might create a layer specific to Internet access that you want to apply in multiple policies. That would be a layer you make shared so it can easily be reused.

Re: Best practices for inline layers

Martijn — Wed, 04 Sep 2019 10:59:02 GMT

Hi,

Today we have hit the limit of 251 layers in a policy. Using more than 251 layers in the policy, we get a policy installation error with error code 1-200008.

Article sk154435 (scenario 1b) mentions the 251 limit.

For our customer this means a redesign of the whole security policy. So be aware of this limit.

Regards,

Martijn.

Re: Best practices for inline layers

Danny — Wed, 04 Sep 2019 11:39:35 GMT

I would love to learn more about this policy design method. Is every rule using a layer?

I've never seen a security policy yet with more than just a couple layers.

Re: Best practices for inline layers

Maarten_Sjouw — Wed, 04 Sep 2019 15:10:59 GMT

I also have a customer that has loads of inline layers.
They have external and internal DMZ's, for each direction (in and out) the network itself is on a rule, and the rule has a layer to be more specific with hosts, also on the external DMZ out layer has a shared sub layer that allows all external DMZ servers to go out to a specific service.
With about 20 DMZ sets times 8 layers per DMZ set = 160 and then the additional shared layer (is this counted per occurrence in this case?)

Re: Best practices for inline layers

Martijn — Wed, 04 Sep 2019 19:15:43 GMT

Hi,

Customer creates security rules between VLAN's with inline layers. In these inline layers the rules are specified for traffic between servers in these VLAN's. All inline layers end with a 'Any' 'Any' 'Drop' rule.

With this method all unwanted traffic is dropped by a 'Drop' rule in one of the inline layers without going through the whole policy before traffic is dropped. This means the clean up rule at the end is almost not used and when they see the clean up rule being hit, they know they made an error in the policy / layers.

So yes, all rules are using inline layers. With the exception of clean up, stealth and some management rules. With almost 260 rules, we hit the 251 limit.

Support mentioned the following limites regarding policies.

Limitation for NAT rules in the policy - 16384.
Limmitaion of the layers in the policy - 251.
Limmitaion of the rules in the policy - No limit.

Regards,

Martijn

Re: Best practices for inline layers

Maarten_Sjouw — Wed, 04 Sep 2019 20:41:22 GMT

Oh BTW this is indeed exactly the idea, end of the layer is a drop, either implicit or explicit, depending on the layer properties.
However do keep in mind as well that once the flow is into a layer that is also where it ends, so when you put an allow rule at the end it will allow ALL ELSE that fits the parent rule.

Re: Best practices for inline layers

Lari_Luoma — Thu, 05 Sep 2019 01:50:00 GMT

@Martijn Sounds very complex and not really how the layers are meant to be used.

The main purpose is to make policies more efficient and manageable.

Below are my guidelines for access control policy layers.

Inline layers are sub-policies
Use security zones as "parent" rules
Use access roles to allow user access when possible
Add a clean-up rule after each layer (drop or accept depending on the purpose)
Limit the number of rules per layer to under a hundred. If you have a feeling that you should have hundreds of rules per layer, consider adding more layers instead of one very big one.
Make your layers shareable if you have many policies that could utilize them.
If you have any pre-R80.10 gateways only ordered layers are supported.
Implement segregation of duties with layers if this is necessary in your organization.
- You can give layers specific admin privileges (specific admins can be allowed access to manage only certain layer).

Re: Best practices for inline layers

Martijn — Mon, 16 Sep 2019 11:12:35 GMT

@Lari_Luoma Thanks for these tips.

Do you know if the limit of 251 is per Access Policy or per Unified Policy. Or is the type of policy not relevant?

Regards,

Martijn.

Re: Best practices for inline layers

George_Casper — Mon, 16 Sep 2019 17:07:47 GMT

Just an FYI if you have it, the Compliance Blade last I checked sadly doesn't evaluate in-line rules. A good example if you App/URL policy is an in-line rule the compliance blade will show 'Poor' for blocking high risk categories even if you are blocking them. Not sure if this is even addressed in R80.30. Also other policy auditing tools such as Nipper Studio don't evaluate or even list the child rules.

Re: Best practices for inline layers

Peter_Baumann — Tue, 04 Feb 2020 12:39:18 GMT

Do you know howto count the inline layers used in the policy?

Thanks,
Peter

Re: Best practices for inline layers

Peter_Baumann — Wed, 12 Feb 2020 14:16:19 GMT

Found it!
With this you can count the Inline Layers:
https://wiki.linuxnet.ch/bin/view/Vendors/Check%20Point/Operation/Check%20Point%20Useful%20CLI%20Commands/#HCountandshowaccess-layers28InlineLayers29

Re: Best practices for inline layers

xsxso — Thu, 28 Jan 2021 10:28:59 GMT

Hi @Peter_Baumann FYI, the link is dead

Re: Best practices for inline layers

Peter_Baumann — Thu, 28 Jan 2021 16:06:37 GMT

Sorry, I moved to a new cms, the link is now here:

https://doc.gecloud.ch/books/check-point-firewalls/page/useful-cli-commands#bkmrk-count-and-show-acces

Re: Best practices for inline layers

Nik_Bloemers — Tue, 15 Nov 2022 09:53:59 GMT

In this topic there have been a few mentions of the limit of 251 inline layers (sk154435).

The new IoT protect functionality will also add many layers, according to what I've seen in a demo (see screenshot below).

What will the impact be for the 251 limit? Will this limit be removed? Will these rules count against that limit?

Re: Best practices for inline layers

PhoneBoy — Tue, 15 Nov 2022 17:34:45 GMT

As I recall, the 251 layer limit was in early R80.x releases.
Not sure if we still have that limit in current versions.