This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Knud_Mortensen
Participant
‎2017-07-19 04:05 AM

Best practice using layer R80.10

Hi

I'm running a R80.10 eval management server where I have imported my 77.30 database, to train myself a bit before upgrading to r80.10, I currently have 16 firewalls around the world (including Azure and AWS) and one policy package with every thing.

I'm planing to have a Policy/tab for each firewall and because there are common rules that has to be on all firewalls, I will like to use layers.

I'm struggling a bit to get my head around do's and dont's using layer in R80.10.

If I have tree layers in my policy 1, 2 and 3, layer 1 and 2 shall have a cleanup rule that accept all and layer 3 should have a clean up rule that drops all, the packets will start with layer 1, if no match it will go to layer 2, if no match it will go to layer 3, if no match dropped by the clean up rule, is this correct?

Normally if you have a any, any rule with accept it will be a hit and stop processing any more rules.

If I use Search in packet mode I only see match in layer 1 where the clean up rule is the last match.

Have I misunderstood something?

Is there any best practice for using layers?

Rgds

 Knud Mortensen

11 Replies
PhoneBoy
Admin
Admin
‎2017-07-19 07:33 AM

I recommend reading through the Layers in R80‌ for some additional background.

Keep in mind with ordered layers, the packet must hit an "accept" rule to go to the next ordered layer.

So if a packet matches a "drop" action in layer 1 (such as a cleanup rule), it will never see the other layers.

Where ordered layers are required is when managing pre-R80 gateways.

This is because the Firewall (Access Control) rulebase must be matched before going to the App Control/URL Filtering rulebase (effectively a layer).

Once your gateways are R80.10 and above, I personally think a better approach is to use Inline Layers.

I'll show an example from my lab gateway:

You'll notice that the action column isn't the traditional Accept/Drop, but a layer called Bogons, Outbound, and InboundLayer. Each one of these is an independent rulebase that I could actually reuse elsewhere if I desire.

Tomer_Sole
Mentor
Mentor
‎2017-07-19 10:19 PM
In response to PhoneBoy

a series of articles will be posted soon! 

Tomer_Sole
Mentor
Mentor
‎2017-07-27 05:06 AM
In response to Tomer_Sole

Please follow articles posted under this tag: layers-best-practices 

0 Kudos
_Val_
Admin
Admin
‎2017-07-27 05:09 AM
In response to Tomer_Sole

Tomer, it would be a good advice if community had an interface to do so. I personally cannot find any way to do so

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2017-07-27 05:43 AM
In response to _Val_

I didn't think of that part all the way through Smiley Happy  we will check how the CheckMates interface can help us with that. https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc

0 Kudos
PhoneBoy
Admin
Admin
‎2017-07-27 07:50 AM
In response to Tomer_Sole

RSS feed, which I know https://community.checkpoint.com/people/valerdd022dbd-e3ef-33cc-ac9c-4ac6f9e1743d‌ knows how to use Smiley Happy

https://community.checkpoint.com/view-browse-feed.jspa?browseSite=content&browseViewID=content&userI... 

That gets a few more things than the tag (it's a general search term).

That said https://community.checkpoint.com/content will give you all the content on the site.

0 Kudos
_Val_
Admin
Admin
‎2017-07-27 07:58 AM
In response to PhoneBoy

Oh, come on, https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc, add searching by tag feature. You do not suppose people to start fiddling with RSS just to find a particular tag, right? 

0 Kudos
PhoneBoy
Admin
Admin
‎2017-07-27 12:57 PM
In response to Tomer_Sole

Better to browse using this link: https://community.checkpoint.com/tags/#/?tags=layers-best-practices 

You can see the most commonly use tags (and browse related content) here: https://community.checkpoint.com/tags

I was thinking you were looking for notifications https://community.checkpoint.com/people/valerdd022dbd-e3ef-33cc-ac9c-4ac6f9e1743d‌ thus why I suggested an RSS link.

That's what happens when I post when my caffeine levels are inadequate Smiley Happy

0 Kudos
_Val_
Admin
Admin
‎2017-07-28 02:31 AM
In response to PhoneBoy

Thanks for the link. My point was, please make it a shortcut in the menu bar for easier navigation.

PhoneBoy
Admin
Admin
‎2017-07-28 08:56 AM
In response to _Val_

I'm still trying to build a lot of the stuff like that Smiley Happy
Thanks for the suggestion. 

0 Kudos
PhoneBoy
Admin
Admin
‎2017-07-28 07:14 PM
In response to _Val_

I now have a whole section for it.

When https://community.checkpoint.com/people/tomera5b2e7f3-09aa-32f8-96c2-f0f5bfa2988b‌ (or anyone else) tags a discussion/doc/whatever with layers-best-practices it will show on the right sidebar.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top