topic Re: How layered policies are matched | FW, APP, URL in General Topics

How layered policies are matched | FW, APP, URL

Firewall_Head — Thu, 27 Feb 2025 10:40:31 GMT

Hi Mates,

I was testing the layered policy approach and got confused a bit. I have created separate layers for FW and APP blade. In my admin access I have allowed SSH access to the FW but I was unable to do so.

When I checked it was hitting the cleanup in the APP layer policy, can somebody help me out with this.

1> How are the policies matched?

2> If the FW layer rule 1 allows the access then why is it coming to the APP layer.

Please help me on this!!!

====

WR,

Re: How layered policies are matched | FW, APP, URL

the_rock — Thu, 27 Feb 2025 13:14:04 GMT

Hey brother,

Remember what I said on the remote sesison about this? Traffic HAS TO match on ALL ordered layers. So say you have 2 layers and its accepted on first layer, but dropped on 2nd layer, it will not work. If you need more help, we can do another remote as well. In your case, if it is indeed 2 layers, I would do any any allow at the bottom of 2nd layer and then block whatever needed above.

1) They are match top to bottom, left to right

2) Thats how it works for layered rules, traffic has to traverse all layered rules to be accepted

https://community.checkpoint.com/t5/Partner-Community/Layered-rules-approach/m-p/242051

Andy

Re: How layered policies are matched | FW, APP, URL

the_rock — Thu, 27 Feb 2025 13:21:04 GMT

If you wish to do another quick zoom remote, Im good till 7.30 pm your time, or between 10.30-11.30

Andy

Re: How layered policies are matched | FW, APP, URL

Firewall_Head — Thu, 27 Feb 2025 14:22:54 GMT

Hi @the_rock ,

Thank you sm for the reply, let's do a remote at 10.40 PM IST.

====

WR,

Re: How layered policies are matched | FW, APP, URL

the_rock — Thu, 27 Feb 2025 14:25:11 GMT

Sounds good, will send you zoom for that time 10 mins before.

Andy

Re: How layered policies are matched | FW, APP, URL

the_rock — Thu, 27 Feb 2025 16:59:48 GMT

Sent you link directly.

Re: How layered policies are matched | FW, APP, URL

the_rock — Thu, 27 Feb 2025 17:22:15 GMT

Just to update, had quick remote with the guys and I explained that traffic has to be accepted on EVERY ordered layer and whatever is dropped on the network (1st layer), wont need to go through any other layer.

Andy

Re: How layered policies are matched | FW, APP, URL

Firewall_Head — Thu, 27 Feb 2025 17:34:04 GMT

Thank you so much Andy @the_rock !

========
WR,

Re: How layered policies are matched | FW, APP, URL

the_rock — Thu, 27 Feb 2025 17:35:43 GMT

No problem! Now that I had some garlic naan bread, I feel better, haha.

Cheers mate.

Andy

Re: How layered policies are matched | FW, APP, URL

PhoneBoy — Thu, 27 Feb 2025 17:47:27 GMT

Suggest you read the following community posts (they're older, but still relevant)

TL;DR: If you have multiple ordered layers, traffic must match an accept rule in each layer, otherwise the traffic will not pass.

Re: How layered policies are matched | FW, APP, URL

the_rock — Thu, 27 Feb 2025 18:03:16 GMT

Thats pretty much what I showed the guys in my lab, so Im 100% sure they are clear now 🙂

Andy