topic Re: Using inline layers together with zone pairs in SmartMove

Using inline layers together with zone pairs

Markus_Marquard — Wed, 23 Jun 2021 04:55:32 GMT

One of the things which were very different from other vendor's firewall when we changed to Checkpoint was the absence of interface(s) in the firewall policy.

Now as Checkpoint introduced network zones and also inline-layers in the policy, isn't it possible to use some kind of template to have similar behavior? Here an example how it could look like for three zone pairs (internal->internet, internal->dmz-public, internal->dmz-private), without actual rules, but I think you get the point:

Then you would add the specific rules in the inline-layers. I see many advantages using this kind of template:

If you make an error in a rule, only the inline-sublayer (so traffic between those specific zones) will be affected, not the complete firewall
The firewall engine don't has to check unnecessary rules if zone doesn't match
Delegate policy administration for a specific zone pair
etc.

Is there any reason against doing like this from Checkpoint architecture point of view?

Re: Using inline layers together with zone pairs

Tomer_Sole — Sun, 27 May 2018 06:16:46 GMT

Yes, this is a valid use-case for Inline Layers. It is supported.

I want to point out 2 things:

1. In case you have 2 interfaces from 2 different gateways that are linked to the same Security Zone, you still need to create a rule from and to the same zone to allow that traffic.

2. With Check Point you don't have to use Gateway Interface objects (aka Security Zones) to create Network Segmentation with Inline Layers. You can use any network object that you like. So while security zone parent rules for inline layers works completely, you don't have to create another gateway interface every time you want to place traffic to a separate inline layer. You can just use the object that represents the network.

Re: Using inline layers together with zone pairs

Robert_Decker — Tue, 29 May 2018 11:07:32 GMT

This is exactly the approach implemented by our SmartMove tool, when migrating Juniper SRX and Cisco ASA policies into Check Point R80.10 Management.

Robert.

Re: Using inline layers together with zone pairs

alexgnunez2 — Thu, 26 Mar 2026 21:38:06 GMT

That's a great conclusion. I'm doing a quick review of all the threads on Ordered vs. Inlayer. I'm going to switch from Ordered to Inlayer based on what you said, especially if your networking team doesn't provide all the network information.

For newcomers who come across this, keep this in mind: https://support.checkpoint.com/results/sk/sk184176