This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Egor_Cherkasov
Contributor
‎2018-11-23 04:13 AM
Jump to solution

Access layer policies

Hello, Check Mates!

When we divide one access layer on many other layers such as Network layer, Application layer and so on, how exactly do the rules work?

For example, I have a network layer and an application one.

In the Network layer I have accept rule from the admin host in the network A to the network B (services any here) and drop rule for the source any and destination network B (services any here).

In the Application layer I have the following rules: 1 accept rule for the admin host in the network A to the network B, but  only with AD services. And the drop rule for the source any and destination network B (services any here).

The admin host can ping network B in that situation!

I thought that the rules are checking from the top to the bottom, like Cisco ACLs, but when I disabled cleanup rule from the Network layer, the ping had lost.

Eventually, I'm confused because of that. Why I have to add 2 cleanup rules, I guess that the one cleanup rule in the application layer is enough.

Thank you for your time and future assistance!

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2018-11-23 09:04 AM
Jump to solution

It would be helpful if you included screenshots of your policy.

But in general, you're asking about ordered layers.

For a connection to be accepted, the packet must match an Accept rule in ALL layers.

This can either be an explicit Accept rule or an implicit one (either the layer cleanup rule OR a global property).

In a Network layer, the implicit cleanup rule is Drop.

In an Application layer (for R77.x gateways), the implicit cleanup rule is Accept.

You can change this for installation to R80+ gateways (cannot for R77.x gateways):

Ping can also be allowed as a result of Global Properties (ICMP):

View solution in original post

2 Replies
PhoneBoy
Admin
Admin
‎2018-11-23 09:04 AM
Jump to solution

It would be helpful if you included screenshots of your policy.

But in general, you're asking about ordered layers.

For a connection to be accepted, the packet must match an Accept rule in ALL layers.

This can either be an explicit Accept rule or an implicit one (either the layer cleanup rule OR a global property).

In a Network layer, the implicit cleanup rule is Drop.

In an Application layer (for R77.x gateways), the implicit cleanup rule is Accept.

You can change this for installation to R80+ gateways (cannot for R77.x gateways):

Ping can also be allowed as a result of Global Properties (ICMP):

Egor_Cherkasov
Contributor
‎2018-11-23 10:02 PM
In response to PhoneBoy
Jump to solution

Thank you very much!

You've answered my question, but I have no screenshots, because it's client's case.

So as I've understood the layers in Policy are standalone. And for a successful ping I have to take account of it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events