topic Re: Nested layers in Firewall and Security Management

Nested layers

Harald_Hansen — Tue, 13 Nov 2018 14:55:42 GMT

I've been working with R80.10 MDS rule bases for a while. Today I was testing out the new ordered layer rule base in SmartCenter R80.10 and tried to implement something close to "global rules". My expectations were that the firewall would evaluate one layer after the other, also nested, in stead it is evaluating the policy in ordered parallell.

Will Check Point support nested layers in the future? I think this is the way most engineers would expect the ordered layer should actually work.

Re: Nested layers

PhoneBoy — Thu, 15 Nov 2018 18:09:26 GMT

Can you provide a concrete example of what you're trying to accomplish that you don't believe the current model supports?

Re: Nested layers

Harald_Hansen — Thu, 15 Nov 2018 18:54:56 GMT

Just a simple way of converting a MDS ruleset to SmartCenter is not supported. This would be the perfect way of using ordered layers if they were behaving in a way one would expect.

Layer one (Like MDS global ruleset above domain rules):

Firewall rules (like stealth rules)
Access to domain services etc

Layer two:

Local ruleset for this policy

Layer three (Like MDS global ruleset below domain rules):

Global access rules
Global drop rules

Re: Nested layers

PhoneBoy — Thu, 15 Nov 2018 19:12:22 GMT

To get to Layer 2, the packet must hit an Accept rule in Layer 1.

This can be an implicit rule, which can be configured on a per-layer basis.

Or, of course, it can hit an explicit accept rule.

Help me understand why this isn’t a workable solution?

Re: Nested layers

Harald_Hansen — Thu, 15 Nov 2018 19:16:51 GMT

Because if you have a drop rule in the last policy the packet won't be accepted, even if it is accepted in a previous policy.

Re: Nested layers

PhoneBoy — Thu, 15 Nov 2018 19:50:53 GMT

Yes, this is now it currently works: a packet must hit an accept rule in ALL ordered layers.

In the case of MDS Global rules, they are basically joined to the local ruleset, so it’s evaluated as one ruleset, not three.

Re: Nested layers

Harald_Hansen — Thu, 15 Nov 2018 20:22:38 GMT

Exactly. This is why we need nested layers.

As it is I cannot use ordered layers to create smart and useful policies. I can understand why the design is as is, though in the real world we need it the other way.

To me, both inline and ordered layers have significant limitations that reduce the usability of either. I cry at the wasted opportunity.

Re: Nested layers

PhoneBoy — Fri, 16 Nov 2018 00:43:51 GMT

It seems to me you could achieve the desired result with Layer 3 in your example above by using an inline layer to represent it in Layer 2.

Specifically the last rule would have Source Any Destination Any as the last rule with action of Layer 3.

This would eliminate the problem of “must match an accept rule in Layer 3” as that layer would be entirely skipped If it matches any other rule in Layer 2.

Maybe less elegant than you’re thinking, but seems like it should achieve the desired result.

Re: Nested layers

Harald_Hansen — Fri, 16 Nov 2018 08:44:44 GMT

Yes, that's a good idea. I have experimented a bit with this regarding the stealth rules, but didn't think of using it for the entire policy.