topic Re: Separate layers of Security Rules vs. APPC + URLF in General Topics

Separate layers of Security Rules vs. APPC + URLF

Matlu — Thu, 22 Jun 2023 22:14:51 GMT

Hello, world.

One question, when you activate the APPC + URLF modules in your Firewall Cluster, and you work these 2 blades, in a separate layer from the Firewall layer, what is the logic regarding the rules?

The security layer and the APPC+URLF layer have implicit rules that block traffic.
Is this "order" to be preserved? Or should the implicit rule of one of the layers be "varied"? ????

If I want to give permissions to an IP 192.168.1.5 to consume only certain "applications" such as "LinkedIN, Youtube, Netflix"?
This IP must have created, both a rule in the Firewall layer, and 1 rule in the APPC+URLF layer, is it correct????

The implicit rule, of the APPC+URLF layer, for good practice, as it should be after its activation, as ALLOW or DROP?

Thanks for your comments.

Re: Separate layers of Security Rules vs. APPC + URLF

PhoneBoy — Thu, 22 Jun 2023 22:43:49 GMT

When using ordered layers, an Accept rule has to be matched in every layer.
That means, yes, you will have to create a rule in both layers in your case.

Unless you're managing pre-R8x gateways, there's no real benefit to having a separate Firewall and App Control/URLF layer.
In pre-R8x gateways, the cleanup rule on the App Control ruleset was Accept.
It should only be Drop if you're certain you have rules in both layers to allow all relevant traffic.

Re: Separate layers of Security Rules vs. APPC + URLF

Matlu — Thu, 22 Jun 2023 23:28:19 GMT

Sorry, but this comment "It should only be Drop if you're certain you have rules in both layers to allow all relevant traffic", I can't interpret it well.

My environment is Clusters in R81.10 version.
The previous administrator inherited me the solution, with "separate layers".

Maybe with an example it could be clearer.
If I have an IP 192.168.100.5 and I want to give it to consume, only "LinkedIN and Youtube", I will use "LinkedIN and Youtube".

I must have a rule, in the security layer, in this sense
SRC: 192.168.100.5
DST: ANY
SERVICE: ANY

And apart a rule in APPC/URLF, almost in the same sense, except that here I will be able to specify the applications that I want.
Is this the correct way?

In this case, the implicit rule of the APPC/URLF layer, how should it go, as ALLOW or DROP?

Thank you. 🙂

Re: Separate layers of Security Rules vs. APPC + URLF

PhoneBoy — Fri, 23 Jun 2023 14:53:51 GMT

Most likely the previous administrator upgraded from an earlier release where you HAD to have a separate Firewall and App Control/URLF policy layer (i.e. R77.x gateways were being managed at some point).
While you can maintain this: policy structure if you prefer, it would be better (and simpler) to combine these policies in the long run.

In any case, you are correct: you need a rule similar to what you describe in both policies.
What you use for the default cleanup rule in the App Control policy will depend on whether you are still managing R77.x gateways or not.
The default cleanup rule MUST be Allow for App Control/URLF layers if you are managing R77.x gateways.
Otherwise, it can be Drop, but you should be fairly certain you have explicit rules defined for all traffic you wish to permit in the App Control layer.