This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Firewall_Head
Explorer
‎2025-02-27 02:40 AM
Jump to solution

How layered policies are matched | FW, APP, URL

Hi Mates,

I was testing the layered policy approach and got confused a bit. I have created separate layers for FW and APP blade. In my admin access I have allowed SSH access to the FW but I was unable to do so.

When I checked it was hitting the cleanup in the APP layer policy, can somebody help me out with this.

1> How are the policies matched?

2> If the FW layer rule 1 allows the access then why is it coming to the APP layer.

Please help me on this!!!

====

WR,

FH

0 Kudos
2 Solutions

Accepted Solutions
the_rock
Legend
Legend
‎2025-02-27 05:10 AM
Jump to solution

Hey brother,

Remember what I said on the remote sesison about this? Traffic HAS TO match on ALL ordered layers. So say you have 2 layers and its accepted on first layer, but dropped on 2nd layer, it will not work. If you need more help, we can do another remote as well. In your case, if it is indeed 2 layers, I would do any any allow at the bottom of 2nd layer  and then block whatever needed above.

1) They are match top to bottom, left to right

2) Thats how it works for layered rules, traffic has to traverse all layered rules to be accepted

https://community.checkpoint.com/t5/Partner-Community/Layered-rules-approach/m-p/242051

Andy

 

 

View solution in original post

Preview file
594 KB
PhoneBoy
Admin
Admin
‎2025-02-27 09:47 AM
Jump to solution

Suggest you read the following community posts (they're older, but still relevant)

TL;DR: If you have multiple ordered layers, traffic must match an accept rule in each layer, otherwise the traffic will not pass.

View solution in original post

(1)
10 Replies
the_rock
Legend
Legend
‎2025-02-27 05:10 AM
Jump to solution

Hey brother,

Remember what I said on the remote sesison about this? Traffic HAS TO match on ALL ordered layers. So say you have 2 layers and its accepted on first layer, but dropped on 2nd layer, it will not work. If you need more help, we can do another remote as well. In your case, if it is indeed 2 layers, I would do any any allow at the bottom of 2nd layer  and then block whatever needed above.

1) They are match top to bottom, left to right

2) Thats how it works for layered rules, traffic has to traverse all layered rules to be accepted

https://community.checkpoint.com/t5/Partner-Community/Layered-rules-approach/m-p/242051

Andy

 

 

Preview file
594 KB
the_rock
Legend
Legend
‎2025-02-27 05:21 AM
Jump to solution

If you wish to do another quick zoom remote, Im good till 7.30 pm your time, or between 10.30-11.30

Andy

0 Kudos
Firewall_Head
Explorer
‎2025-02-27 06:22 AM
In response to the_rock
Jump to solution

Hi @the_rock ,

Thank you sm for the reply, let's do a remote at 10.40 PM IST.

====

WR,

FH

0 Kudos
the_rock
Legend
Legend
‎2025-02-27 06:25 AM
In response to Firewall_Head
Jump to solution

Sounds good, will send you zoom for that time 10 mins before.

Andy

the_rock
Legend
Legend
‎2025-02-27 08:59 AM
In response to Firewall_Head
Jump to solution

Sent you link directly.

0 Kudos
the_rock
Legend
Legend
‎2025-02-27 09:22 AM
Jump to solution

Just to update, had quick remote with the guys and I explained that traffic has to be accepted on EVERY ordered layer and whatever is dropped on the network (1st layer), wont need to go through any other layer.

Andy

Firewall_Head
Explorer
‎2025-02-27 09:34 AM
In response to the_rock
Jump to solution

Thank you so much Andy @the_rock  !

========
WR,

FH

(1)
the_rock
Legend
Legend
‎2025-02-27 09:35 AM
In response to Firewall_Head
Jump to solution

No problem! Now that I had some garlic naan bread, I feel better, haha.

Cheers mate.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-27 09:47 AM
Jump to solution

Suggest you read the following community posts (they're older, but still relevant)

TL;DR: If you have multiple ordered layers, traffic must match an accept rule in each layer, otherwise the traffic will not pass.

(1)
the_rock
Legend
Legend
‎2025-02-27 10:03 AM
In response to PhoneBoy
Jump to solution

Thats pretty much what I showed the guys in my lab, so Im 100% sure they are clear now 🙂

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events