Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Eric_Davis
Explorer

Best practices for inline layers

Hi, we're running R80.10 and would like to start cleaning up our policy that has become cluttered and outdated and inline layers look like they could assist in keeping things organized as we clean up the old clutter but I can't find a lot of info about best practices for them.

 

Should you try to limit how many inline layers/rules you use in a policy?

 

Is there a preferred method for crafting the parent rule?  Should it be vague and then get more particular with each inline layer rule?  Or should the parent rules be crafted very specifically as well?

 

I've read a few of the threads here on CheckMates and any relevant SK's but was just wondering if there was any specific guidance on the best way to utilize inline layers.

 

 

16 Replies
Nick_Doropoulos
Advisor

Hi Eric,

If I were you, I would be reading up on the following:

 

  • Best Practices for Access Control Rules 
  • Unified Rule Base Cases 

 

Both sections can be found in the following link:

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_SecurityManagement_AdminGuid...

I hope this helps.

(1)
PhoneBoy
Admin
Admin

I wouldn’t nest inline layers more than 3 or 4 deep. Top-Level rules should be fairly generic but there are use cases when a specific rule at the top might be useful.

Also think "reusable policies" with layers. For example, you might create a layer specific to Internet access that you want to apply in multiple policies. That would be a layer you make shared so it can easily be reused.

0 Kudos
Martijn
Advisor
Advisor

Hi,

Today we have hit the limit of 251 layers in a policy. Using more than 251 layers in the policy, we get a policy installation error with error code 1-200008.

Article sk154435 (scenario 1b) mentions the 251 limit. 

For our customer this means a redesign of the whole security policy. So be aware of this limit.

Regards, 

Martijn.

Danny
Champion Champion
Champion

I would love to learn more about this policy design method. Is every rule using a layer?

I've never seen a security policy yet with more than just a couple layers.

0 Kudos
Maarten_Sjouw
Champion
Champion

I also have a customer that has loads of inline layers.
They have external and internal DMZ's, for each direction (in and out) the network itself is on a rule, and the rule has a layer to be more specific with hosts, also on the external DMZ out layer has a shared sub layer that allows all external DMZ servers to go out to a specific service.
With about 20 DMZ sets times 8 layers per DMZ set = 160 and then the additional shared layer (is this counted per occurrence in this case?)
Regards, Maarten
0 Kudos
Martijn
Advisor
Advisor

Hi,

Customer creates security rules between VLAN's with inline layers. In these inline layers the rules are specified for traffic between servers in these VLAN's. All inline layers end with a 'Any' 'Any' 'Drop' rule.

With this method all unwanted traffic is dropped by a 'Drop' rule in one of the inline layers without going through the whole policy before traffic is dropped. This means the clean up rule at the end is almost not used and when they see the clean up rule being hit, they know they made an error in the policy / layers.

So yes, all rules are using inline layers. With the exception of clean up, stealth and some management rules. With almost 260 rules, we hit the 251 limit.

Support mentioned the following limites regarding policies.

Limitation for NAT rules in the policy - 16384.
Limmitaion of the layers in the policy - 251.
Limmitaion of the rules in the policy - No limit.

Regards,

Martijn

Maarten_Sjouw
Champion
Champion

Oh BTW this is indeed exactly the idea, end of the layer is a drop, either implicit or explicit, depending on the layer properties.
However do keep in mind as well that once the flow is into a layer that is also where it ends, so when you put an allow rule at the end it will allow ALL ELSE that fits the parent rule.
Regards, Maarten
Lari_Luoma
Ambassador Ambassador
Ambassador

@Martijn Sounds very complex and not really how the layers are meant to be used.

The main purpose is to make policies more efficient and manageable.

Below are my guidelines for access control policy layers.

  • Inline layers are sub-policies
  • Use security zones as "parent" rules 
  • Use access roles to allow user access when possible
  • Add a clean-up rule after each layer (drop or accept depending on the purpose)
  • Limit the number of rules per layer to under a hundred. If you have a feeling that you should have hundreds of rules per layer, consider adding more layers instead of one very big one.
  • Make your layers shareable if you have many policies that could utilize them.
  • If you have any pre-R80.10 gateways only ordered layers are supported.
  • Implement segregation of duties with layers if this is necessary in your organization.
    • You can give layers specific admin privileges (specific admins can be allowed access to manage only certain layer).
Martijn
Advisor
Advisor

@Lari_Luoma Thanks for these tips.

Do you know if the limit of 251 is per Access Policy or per Unified Policy. Or is the type of policy not relevant?

Regards,

Martijn.

0 Kudos
Peter_Baumann
Contributor

Do you know howto count the inline layers used in the policy?

Thanks,
Peter
Peter_Baumann
Contributor

0 Kudos
xsxso
Employee Alumnus
Employee Alumnus

Hi @Peter_Baumann FYI, the link is dead

0 Kudos
Peter_Baumann
Contributor

George_Casper
Collaborator

Just an FYI if you have it, the Compliance Blade last I checked sadly doesn't evaluate in-line rules.  A good example if you App/URL policy is an in-line rule the compliance blade will show 'Poor' for blocking high risk categories even if you are blocking them.  Not sure if this is even addressed in R80.30.    Also other policy auditing tools such as Nipper Studio don't evaluate or even list the child rules.

Nik_Bloemers
Advisor
Advisor

In this topic there have been a few mentions of the limit of 251 inline layers (sk154435).

The new IoT protect functionality will also add many layers, according to what I've seen in a demo (see screenshot below).

What will the impact be for the 251 limit? Will this limit be removed? Will these rules count against that limit?

Clipboard01.jpg

PhoneBoy
Admin
Admin

As I recall, the 251 layer limit was in early R80.x releases.
Not sure if we still have that limit in current versions.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events