Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Egor_Cherkasov
Contributor
Jump to solution

Access layer policies

Hello, Check Mates!

When we divide one access layer on many other layers such as Network layer, Application layer and so on, how exactly do the rules work?

For example, I have a network layer and an application one.

In the Network layer I have accept rule from the admin host in the network A to the network B (services any here) and drop rule for the source any and destination network B (services any here).

In the Application layer I have the following rules: 1 accept rule for the admin host in the network A to the network B, but  only with AD services. And the drop rule for the source any and destination network B (services any here).

The admin host can ping network B in that situation!

I thought that the rules are checking from the top to the bottom, like Cisco ACLs, but when I disabled cleanup rule from the Network layer, the ping had lost.

Eventually, I'm confused because of that. Why I have to add 2 cleanup rules, I guess that the one cleanup rule in the application layer is enough.

Thank you for your time and future assistance!

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

It would be helpful if you included screenshots of your policy.

But in general, you're asking about ordered layers.

For a connection to be accepted, the packet must match an Accept rule in ALL layers.

This can either be an explicit Accept rule or an implicit one (either the layer cleanup rule OR a global property).

In a Network layer, the implicit cleanup rule is Drop.

In an Application layer (for R77.x gateways), the implicit cleanup rule is Accept.

You can change this for installation to R80+ gateways (cannot for R77.x gateways):

Ping can also be allowed as a result of Global Properties (ICMP):

View solution in original post

2 Replies
PhoneBoy
Admin
Admin

It would be helpful if you included screenshots of your policy.

But in general, you're asking about ordered layers.

For a connection to be accepted, the packet must match an Accept rule in ALL layers.

This can either be an explicit Accept rule or an implicit one (either the layer cleanup rule OR a global property).

In a Network layer, the implicit cleanup rule is Drop.

In an Application layer (for R77.x gateways), the implicit cleanup rule is Accept.

You can change this for installation to R80+ gateways (cannot for R77.x gateways):

Ping can also be allowed as a result of Global Properties (ICMP):

Egor_Cherkasov
Contributor

Thank you very much!

You've answered my question, but I have no screenshots, because it's client's case.

So as I've understood the layers in Policy are standalone. And for a successful ping I have to take account of it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events