This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tobias_Moritz
Advisor
‎2021-11-29 08:00 AM
Jump to solution

Inline Layer with APPL-only does also handle Firewall-Layer rules

Hello Community,

I recently saw a working environment, where an Inline Layer was used which had only one blade active: Application Control & URL Filtering. The firewall blade was not enabled on that layer.

In this layer, there were multiple rules. Most of them used Application Objects in Services & Application Column, but not all.

There were multiple rules in that layer, that are clearly a job for plain firewall blade:

  • Src: Host object (static)
  • Dst: Network object (static)
  • Service: custom tcp-object with some high port. No protocol selected in that service.
  • Action: Accept
  • Track: Log

These rules are working normally. They have matches like they should.

 

Now the question(s):

Is this a supported setup and working correctly by design?

Or is the customer just lucky that it works this way at the moment and I should tell him to enable firewall blade in that layer?

Any performance penalties?

 

Environment:

Gateway: R80.40 JHF T120

Management: R80.40 JHF T120

SmartConsole R80.40 Build 994000424

 

Thank you for your ideas 🙂

0 Kudos
1 Solution

Accepted Solutions
Vladimir
Champion
Champion
‎2021-12-05 11:37 AM
Jump to solution

The Firewall checkbox in the layer's properties seems to be purely superficial and is only there to add the icon in the layer's content. I suggest CP would remove the checkbox and pre-populate each layer with the firewall icon in situations where this statement is true.

Cloning the policy containing Firewall+APCL/URLF+Content Awareness and unchecking the Firewall does not affect functionality.

As per my offline discussion on this subject with @Timothy_Hall , he has suggested calling the firewall functionality in APCL/URLF layers as "inferred" whereas I may suggest "inherent".

View solution in original post

5 Replies
_Val_
Admin
Admin
‎2021-12-01 09:34 AM
Jump to solution

I believe FW layer should be enabled there.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-12-01 07:04 PM
In response to _Val_
Jump to solution

It should be, yes, but I think even if you don't explicitly enable it, basic firewall rules will still work by design.

the_rock
MVP Platinum
MVP Platinum
‎2021-12-01 08:12 PM
Jump to solution

I believe thats expected behavior if you have rule like that...I also saw that with couple customers before.

Best,
Andy
0 Kudos
Vladimir
Champion
Champion
‎2021-12-05 11:37 AM
Jump to solution

The Firewall checkbox in the layer's properties seems to be purely superficial and is only there to add the icon in the layer's content. I suggest CP would remove the checkbox and pre-populate each layer with the firewall icon in situations where this statement is true.

Cloning the policy containing Firewall+APCL/URLF+Content Awareness and unchecking the Firewall does not affect functionality.

As per my offline discussion on this subject with @Timothy_Hall , he has suggested calling the firewall functionality in APCL/URLF layers as "inferred" whereas I may suggest "inherent".

PhoneBoy
Admin
Admin
‎2021-12-05 06:56 PM
In response to Vladimir
Jump to solution

If you actually think about this, it kinda makes sense that firewall rules still work in layers where it isn't specifically enabled.
You may need to exclude certain network segments from the advanced inspection done in these other blades.
The only way to do this...with firewall rules.
That said, I agree it could be represented better in the UI. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events