Re: Inline layer for web traffic

Antonis_Hassiot · ‎2021-02-01

Hi there,

I wanted to start using inline layers.

I am trying to the think how I would edit my user->internet web traffic as this would be the heaviest rule in the rulebase.

I have AC/URL, CA, ThreatPrevention (AV, AB and IPS) and HTTPs inspection blades on R80.30.

I currently have several rules that apply to all my users in AC/URLF and TP.

Would I create an inline layer with Firewall enabled and then sub-layers for each of the blades above? Should I go just one deep when creating these layers or layers within layers? Most of my rules apply to all users.

I created a Content Awareness layer in my rulebase to test and although it works ok, when I try to add extra rules with source/destination Any (parent rule has all my user networks as source) the policy installation throws an error as it doesn't like Any in the source or destination on more than one rules in the layer.

Moreover, I noted that the packets are inspected by my ordered layers irrespective of the fact that I have a catch all rule in the inline layer. Is this expected?

A.

PhoneBoy · ‎2021-02-01

If you have multiple ordered layers, traffic must hit an accept rule in each ordered layer to pass.
If traffic matches a parent rule for an inline layer, the traffic must match a rule in the inline layer to pass (in addition to other ordered layers).
Inline layers have their own “implicit allow/block” setting.

You can nest inline layers in inline layers, though I believe there are issues going more than a few layers deep and/or using too many layers in a policy.

Antonis_Hassiot · ‎2021-02-01

Thanks. What about source and destination being Any in the child rules? For instance I want my user traffic to go through the AC/URLF blade, so I create an AC inline layer with multiple rules. Can I have source and destination Any for these rules, or is this not meant to be? Am I supposed to do this a different way?

Maik · ‎2021-02-01

Try to use the "Internet" object as the destination for Application Control & URL Filtering rules.

More best practices and generel advices can be obtained from here.

PhoneBoy · ‎2021-02-02

Source Any Destination Any rules tend to be used for cleanup rules (at the end).
You should be using "Internet" as the Destination unless these are custom resources for internal sites where "any" shouldn't be used either.

Harj · ‎2022-02-22

Hi Phoneboy,

Just checked my inline layers and noticed that the top level rule is being hit opposed to a rule lower down in the inline layer policy, are there any checks or changes I can make to avoid this happening?

the_rock · ‎2022-02-22

Could you please send a screenshot of this and circle which rule is hit and which one should be hit, so we can give you better suggestion? The reason I say this is because you would have say parent rule in inline layer, which goes down to "child" rule if its hit or explicit clean up rule at the bottom of inline layer, but you can also have sub-inline layers inside the actual inline layers that are part of ordered layer.

Andy

Best,
Andy
"Have a great day and if its not, change it"

Harj · ‎2022-02-22

Hi Andy,

Tried sending you a message however seems to of reached my limit for today

AaronCP · ‎2022-02-22

Hey @the_rock,

I've been working with @Harj on this. Do you mind if I DM you the screenshots? I think Harj has tried, but doesn't seem to be able to DM you.

Thanks,

Aaron.

the_rock · ‎2022-02-22

Yes, just send them to me directly. I will send you my email, so you can also email them to me. I want to see what seems to be the problem here...

Best,
Andy
"Have a great day and if its not, change it"

Are you a member of CheckMates?

Inline layer for web traffic