Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tobias_Moritz
Advisor

Inline Layer with APPL-only does also handle Firewall-Layer rules

Jump to solution

Hello Community,

I recently saw a working environment, where an Inline Layer was used which had only one blade active: Application Control & URL Filtering. The firewall blade was not enabled on that layer.

In this layer, there were multiple rules. Most of them used Application Objects in Services & Application Column, but not all.

There were multiple rules in that layer, that are clearly a job for plain firewall blade:

  • Src: Host object (static)
  • Dst: Network object (static)
  • Service: custom tcp-object with some high port. No protocol selected in that service.
  • Action: Accept
  • Track: Log

These rules are working normally. They have matches like they should.

 

Now the question(s):

Is this a supported setup and working correctly by design?

Or is the customer just lucky that it works this way at the moment and I should tell him to enable firewall blade in that layer?

Any performance penalties?

 

Environment:

Gateway: R80.40 JHF T120

Management: R80.40 JHF T120

SmartConsole R80.40 Build 994000424

 

Thank you for your ideas 🙂

0 Kudos
1 Solution

Accepted Solutions
Vladimir
Champion
Champion

The Firewall checkbox in the layer's properties seems to be purely superficial and is only there to add the icon in the layer's content. I suggest CP would remove the checkbox and pre-populate each layer with the firewall icon in situations where this statement is true.

Cloning the policy containing Firewall+APCL/URLF+Content Awareness and unchecking the Firewall does not affect functionality.

As per my offline discussion on this subject with @Timothy_Hall , he has suggested calling the firewall functionality in APCL/URLF layers as "inferred" whereas I may suggest "inherent".

View solution in original post

5 Replies
_Val_
Admin
Admin

I believe FW layer should be enabled there.

0 Kudos
PhoneBoy
Admin
Admin

It should be, yes, but I think even if you don't explicitly enable it, basic firewall rules will still work by design.

the_rock
Champion
Champion

I believe thats expected behavior if you have rule like that...I also saw that with couple customers before.

0 Kudos
Vladimir
Champion
Champion

The Firewall checkbox in the layer's properties seems to be purely superficial and is only there to add the icon in the layer's content. I suggest CP would remove the checkbox and pre-populate each layer with the firewall icon in situations where this statement is true.

Cloning the policy containing Firewall+APCL/URLF+Content Awareness and unchecking the Firewall does not affect functionality.

As per my offline discussion on this subject with @Timothy_Hall , he has suggested calling the firewall functionality in APCL/URLF layers as "inferred" whereas I may suggest "inherent".

View solution in original post

PhoneBoy
Admin
Admin

If you actually think about this, it kinda makes sense that firewall rules still work in layers where it isn't specifically enabled.
You may need to exclude certain network segments from the advanced inspection done in these other blades.
The only way to do this...with firewall rules.
That said, I agree it could be represented better in the UI. 

0 Kudos