Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Annie-CCSA
Participant

Rule matching questions

I have a question on policy matching. From the information on ...

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_SecurityManagement_AdminGuid...

...I understand that :

###
for an inline layer (sub-policy), if a packet matches the parent rule, the sub-policy is applied. Meaning 2 options within that policy :

1) a match is found in the subpolicy --> do the action from that matched sub-rule (drop or accept) -->
"no more rulebase checking is done"
2) no match is found --> action from explicit Cleanup rule is executed, if there's no explicit Cleanup, the implicit Cleanup rule is executed (could also be drop or accept) -->
"no more rulebase checking is done"


###
For inspection to continue to a next ordered layer, the action must be ACCEPT.
If the action is DROP, the firewall doesn't care about possible next ordered layers.

So now the questions :

1) But what if the action from an inline layer's explicit or implicit Cleanup is ACCEPT ? What happens next ? ( when other ordered layer are configured ? ) Does inspection of lower ordered layers still happen ?

2) If you decide to use ordered layers, you better define an explicit or implicit Cleanup rule with Accept ( if not none of your next ordered layers will ever be checked ), right ?

Thanks.

0 Kudos
9 Replies
_Val_
Admin
Admin

1. Yes, inspection will continue

2. Depends on the needs

Annie-CCSA
Participant

Regarding 1 : thanks for your confirmation Sir. So after any accept action ( meaning either from a sub-policy rule with accept, or from the sub-policy Cleanup rule with an accept ) , if there's another order layer configured. The inspection proceeds to the next ordered layer ... or only if it hit a Cleanup with Accept action?

 

_Val_
Admin
Admin

Well, the action on the main rule is actually "inline layer", not accept. 
Clean-up rule in the inline layer only applies to what's matched to the main rule.
Inspection for traffic that DOES NOT match the main rule always continue, regardless of the said inline layer clean rule settings.

 

You can take it as a sub-routine with initial conditions. Of the conditions are not matched, you go to the next sub-routine.

Annie-CCSA
Participant

OK , so the statement from within the Checkpoint documentation mentioned in the topic start called ""no more rulebase checking is done", actually means no more checking is done within that layer ? And also implies a next ordered layer is being checked against ... , correct ? 

Sorry for asking so thoroughly, but is't crucial info to understand 🙂

0 Kudos
_Val_
Admin
Admin

The statement is correct, regardless of inline layer logic, actually. If we can match the first packet to a drop rule, no further matching effort is done.

It is different for accept action. You need to consider the logic of Unified policy, which assumes that the rule match may not be fully done based on a first packet, and might require application and/or content inspection decision, which require data flow to start.

Annie-CCSA
Participant

OK, so to resume :

Whenever there's a hit on rule with a drop action, it's final. 

Whenever there's an accept, the layers below are checked against also ( if they contain a drop, it's over and out, if they contain an accept it goes further down the next ordered layers etc...  )

0 Kudos
_Val_
Admin
Admin

No, it is even more interesting for accept action 🙂

Imagine you have a layer with the main rule

Rule number Source Destination Services and Applications Content Action
1 Internal Networks Internet Web Services Any Inline Layer
1.1 Any Any Gambling Category Any Drop
1.2  Any Any Any  Excel Files Drop
1.3 Any Any Streaming Services Accept Log and Accounting
1.4 Any Any Any Accept Log

 

Rule 1.4 is the cleanup for the section. 

With the first package, if we cannot guess at once that it is either 1.1 or 1.3 (depends on application), all rules 1.1 to 1.4 will be conditionally matched. As at least one of them saying "Accept", we let traffic through, because we cannot make a final match on the first packet for most of it.

Now, when the data start flowing, we can make a final match. If I am trying to upload an Excel file, it will be blocked by 1.2. If it is a regular web, we will not change final match, which is 1.4. IF we suddenly detect video service, we will re-match to 1.3.

Did I confuse you yet?

0 Kudos
Annie-CCSA
Participant

 That inline layer example actually makes perfect sense. When I mentioned 'the layers below', I had only ordered layers in mind. As you mentioned for further analysis to be possible ( after first packet ) there has to be an accept somewhere to continue investigation. 🙂

 

Got it. Thx.

_Val_
Admin
Admin

Depending on how your layered policy is built, the layered policy match may be different.

The order is:

  1. Anti-spoofing
  2. HTTPS Inspection
  3. Network Security, Application Control/URLF, Content Inspection (one line if they are used together, if layered, then after Network Security)
  4. IPS/Anti-Bot
  5. AVI
  6. Threat Extraction(Emulation

Screenshot 2020-11-09 at 11.41.45.png

For anything below 3, action on the Network Security Rule should be Accept.