topic Re: Inline Layer with APPL-only does also handle Firewall-Layer rules in General Topics

Inline Layer with APPL-only does also handle Firewall-Layer rules

Tobias_Moritz — Mon, 29 Nov 2021 16:00:47 GMT

Hello Community,

I recently saw a working environment, where an Inline Layer was used which had only one blade active: Application Control & URL Filtering. The firewall blade was not enabled on that layer.

In this layer, there were multiple rules. Most of them used Application Objects in Services & Application Column, but not all.

There were multiple rules in that layer, that are clearly a job for plain firewall blade:

Src: Host object (static)
Dst: Network object (static)
Service: custom tcp-object with some high port. No protocol selected in that service.
Action: Accept
Track: Log

These rules are working normally. They have matches like they should.

Now the question(s):

Is this a supported setup and working correctly by design?

Or is the customer just lucky that it works this way at the moment and I should tell him to enable firewall blade in that layer?

Any performance penalties?

Environment:

Gateway: R80.40 JHF T120

Management: R80.40 JHF T120

SmartConsole R80.40 Build 994000424

Thank you for your ideas 🙂

Re: Inline Layer with APPL-only does also handle Firewall-Layer rules

_Val_ — Wed, 01 Dec 2021 17:34:41 GMT

I believe FW layer should be enabled there.

Re: Inline Layer with APPL-only does also handle Firewall-Layer rules

PhoneBoy — Thu, 02 Dec 2021 03:04:35 GMT

It should be, yes, but I think even if you don't explicitly enable it, basic firewall rules will still work by design.

Re: Inline Layer with APPL-only does also handle Firewall-Layer rules

the_rock — Thu, 02 Dec 2021 04:12:24 GMT

I believe thats expected behavior if you have rule like that...I also saw that with couple customers before.

Re: Inline Layer with APPL-only does also handle Firewall-Layer rules

Vladimir — Sun, 05 Dec 2021 19:37:41 GMT

The Firewall checkbox in the layer's properties seems to be purely superficial and is only there to add the icon in the layer's content. I suggest CP would remove the checkbox and pre-populate each layer with the firewall icon in situations where this statement is true.

Cloning the policy containing Firewall+APCL/URLF+Content Awareness and unchecking the Firewall does not affect functionality.

As per my offline discussion on this subject with @Timothy_Hall , he has suggested calling the firewall functionality in APCL/URLF layers as "inferred" whereas I may suggest "inherent".

Re: Inline Layer with APPL-only does also handle Firewall-Layer rules

PhoneBoy — Mon, 06 Dec 2021 02:56:12 GMT

If you actually think about this, it kinda makes sense that firewall rules still work in layers where it isn't specifically enabled.
You may need to exclude certain network segments from the advanced inspection done in these other blades.
The only way to do this...with firewall rules.
That said, I agree it could be represented better in the UI.