topic Re: Which Layer Takes Precedence? in General Topics

Which Layer Takes Precedence?

RemoteUser — Wed, 21 May 2025 13:06:00 GMT

Hi all,
I need clarification on rule evaluation when using Ordered Layers (Access Control + Application Control).

Here’s the scenario:

In the Access Control layer (e.g. rule #25), I allow traffic from 192.168.10.2 to the "Internet" object.

In the Application Control layer (e.g. rule #5), I drop traffic from the same IP to the category "Gambling or malicious site".

If 192.168.10.2 tries to access a malicious site:
My question is simple:
Which rule takes precedence?
Does the final action follow the Drop in the Application Control layer, even though Access Control allowed it?

I want to confirm if traffic must be accepted by all layers to be ultimately allowed, meaning any Drop overrides previous Accepts, correct?

Thanks in advance!

Re: Which Layer Takes Precedence?

Tal_Paz-Fridman — Wed, 21 May 2025 13:18:23 GMT

Look at this:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Ordered-Layers-and-Inline-Layers.htm

Order of Rule Enforcement in Ordered Layers

When a packet arrives at the Security Gateway, the Security Gateway checks it against the rules in the first Ordered Layer, sequentially from top to bottom, and enforces the first rule that matches a packet.

If the Action of the matching rule is Drop, the Security Gateway stops matching against later rules in the Policy Rule Base and drops the packet. If the Action is Accept, the Security Gateway continues to check rules in the next Ordered Layer.

Re: Which Layer Takes Precedence?

RemoteUser — Wed, 21 May 2025 13:24:38 GMT

Thank you buddy