topic Re: Inline layers and 'Any' access in Firewall and Security Management

Inline layers and 'Any' access

SamiH — Fri, 22 Mar 2019 09:11:00 GMT

Just to verify my understanding.

If I have a inline layer like this

1.1 src:Any dst:MyNet1

1.2 src:MyNet2 dst:MyNet1 Action:Accept

1.3 src:Any dst:MyNet Action:Drop (inline clean up)

2.0 src:MyNet3 dst:Any Action:Accept

and the 2.0 rule won't allow mynet3 to reach mynet1? Just thinking how the "Accept internet except internal networks" would work here after all the internal networks have been handled like that. The reason I am using inline layer dst field is this article https://community.checkpoint.com/t5/General-Management-Topics/Unified-Policy-Column-based-Rule-Matching/td-p/9888 where it says that rule matching begins from dst.

Re: Inline layers and 'Any' access

Maarten_Sjouw — Fri, 22 Mar 2019 18:47:43 GMT

Rule 2.0 will not allow access to MyNet1 as first of all rule 1.3 will drop it, otherwise the default Implicit drop will (a setting on the layer).
To allow Internal networks you need them to either skip rule 1.1 by negating the internal network, or be explicit in the layer as you are doing in rule 1.2.

Re: Inline layers and 'Any' access

PhoneBoy — Fri, 22 Mar 2019 21:52:18 GMT

The column-based matching only applies within a layer, ignoring any inline layers.
If the packet matches a rule with an action of an inline layer, then that inline layer is analyzed for a match.
If no rule in that inline layer matches, the implicit rule (either drop or accept, depending on configuration) applies.