https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-layer-policies/m-p/8135#M90739 <HTML><HEAD></HEAD><BODY><P>Hello, Check Mates!</P><P>When we divide one access layer on many other layers&nbsp;such as Network layer, Application layer and so on, how exactly do the rules work?</P><P></P><P>For example, I have a network layer and an application one.</P><P></P><P>In the Network layer I have accept rule from the admin host&nbsp;in the network A to the network B&nbsp;<SPAN>(services any here)</SPAN> and drop rule for&nbsp;the source any&nbsp;and destination network B (services any here).</P><P></P><P>In the Application layer I have the following rules: 1 accept rule for the admin host in the network A to the network B, but&nbsp; only with AD services. And the drop rule for <SPAN>the source any</SPAN><SPAN>&nbsp;and destination network B (services any here).</SPAN></P><P><SPAN>The <STRONG>admin</STRONG> host <STRONG>can ping network B</STRONG> in that situation!</SPAN></P><P></P><P><SPAN>I thought that the rules are checking from the top to the bottom, like Cisco ACLs, but when I disabled cleanup rule from the Network layer, the <STRONG>ping had lost</STRONG>.</SPAN></P><P></P><P>Eventually, I'm confused because of that. Why I have to add 2 cleanup rules, I guess that the one cleanup rule in the application layer is enough.</P><P></P><P>Thank you for your time and future assistance!</P></BODY></HTML> Fri, 23 Nov 2018 12:13:24 GMT Egor_Cherkasov 2018-11-23T12:13:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-layer-policies/m-p/8135#M90739 <HTML><HEAD></HEAD><BODY><P>Hello, Check Mates!</P><P>When we divide one access layer on many other layers&nbsp;such as Network layer, Application layer and so on, how exactly do the rules work?</P><P></P><P>For example, I have a network layer and an application one.</P><P></P><P>In the Network layer I have accept rule from the admin host&nbsp;in the network A to the network B&nbsp;<SPAN>(services any here)</SPAN> and drop rule for&nbsp;the source any&nbsp;and destination network B (services any here).</P><P></P><P>In the Application layer I have the following rules: 1 accept rule for the admin host in the network A to the network B, but&nbsp; only with AD services. And the drop rule for <SPAN>the source any</SPAN><SPAN>&nbsp;and destination network B (services any here).</SPAN></P><P><SPAN>The <STRONG>admin</STRONG> host <STRONG>can ping network B</STRONG> in that situation!</SPAN></P><P></P><P><SPAN>I thought that the rules are checking from the top to the bottom, like Cisco ACLs, but when I disabled cleanup rule from the Network layer, the <STRONG>ping had lost</STRONG>.</SPAN></P><P></P><P>Eventually, I'm confused because of that. Why I have to add 2 cleanup rules, I guess that the one cleanup rule in the application layer is enough.</P><P></P><P>Thank you for your time and future assistance!</P></BODY></HTML> Fri, 23 Nov 2018 12:13:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-layer-policies/m-p/8135#M90739 Egor_Cherkasov 2018-11-23T12:13:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-layer-policies/m-p/8136#M90740 <HTML><HEAD></HEAD><BODY><P>It would be helpful if you included screenshots of your policy.</P><P>But in general, you're asking about ordered layers.</P><P>For a connection to be accepted, the packet must match an Accept rule in ALL layers.</P><P>This can either be an explicit Accept rule or an implicit one (either the layer cleanup rule OR a global property).</P><P>In a Network layer, the implicit cleanup rule is Drop.</P><P>In an Application layer (for R77.x gateways), the implicit cleanup rule is <STRONG>Accept</STRONG>.</P><P>You can change this for installation to R80+ gateways (cannot for R77.x gateways):</P><P></P><P><IMG alt="" class="image-2 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/74994_C84C9276-5D57-4A35-B415-F05C519C24D1.jpeg" /></P><P></P><P>Ping can also be allowed as a result of Global Properties (ICMP):</P><P></P><P><IMG alt="" class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/74993_381CC25A-EF6C-4F44-BB24-65BDF58BCAF0.jpeg" /></P></BODY></HTML> Fri, 23 Nov 2018 17:04:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-layer-policies/m-p/8136#M90740 PhoneBoy 2018-11-23T17:04:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-layer-policies/m-p/8137#M90741 <HTML><HEAD></HEAD><BODY><P>Thank you very much!</P><P>You've answered my question, but I have no screenshots, because it's client's case.</P><P>So as I've understood the layers in Policy are standalone. And for a successful ping I have to take account of it.</P></BODY></HTML> Sat, 24 Nov 2018 06:02:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-layer-policies/m-p/8137#M90741 Egor_Cherkasov 2018-11-24T06:02:46Z