Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
lmorocz
Participant

Check point policy base coversion to inline layers

Jump to solution

Hello All,

I've recently used the SmartMove to move rules from ASA to CP.
I saw that it puts rules automatically with inline layers.

Is that a way to do same, like group automatically the rules for an existing Check Point policy base (R80.40)? 

Thanks a lot! 


0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

For existing Check Point policies, not aware of a tool.
We also have not published any guidelines for converting.

If you still have a legacy App Control layer, it’s easy enough to make that an inline layer either by copy paste or converting the ordered layer to an inline one.

View solution in original post

6 Replies
Sorin_Gogean
Advisor

hey,

 

To make sure I understood this correctly "Is that a way to do same, like group automatically the rules for an existing Check Point policy base (R80.40)? " -  you mean you want to move existing ordered layers (R80.40 - it doesn't matter) to in-line layer format in an automated way ?

 

As we moved from ordered to in-line layer a bit more than a year ago, I can tell you that we did that exercise manually, going over each rule-line from ordered layer policy. (we had from 40 lines to 700 lines in our old rulebase)

By doing that we cleared the "debris" 😁 and checked once again what is allowed and what is not allowed, and other stuff like that.

Doing this exercise once every few years, is a good thing in my opinion.

 

Ty,

lmorocz
Participant

Yes exactly, I would like to move ordered layers to be inlines.
The automatic part would be more like a guideline, then we would overseer the outcome of course. 

0 Kudos
Sorin_Gogean
Advisor

Honestly, just going through them would be the best recommended way from my side, as that is what we did before.

There are several recommendation out there that you can follow, on how to sketch your in-line layer policies.

 (I can search them once again and point them to you)

Ty,

the_rock
Champion
Champion

I did this for customers few times with smart move and I can tell you that its so much better when you have inline layers. Its more secure, traffic gets handled much faster. Here is a good example...say, for argument sake, you have 1000 rules in your rulebase and no layers at all, inline or ordered. Well, policy will have to be checked until needed rule is hit, but with layers, if it does not hit whats called "parent rule", then it wont bother checking "child rules" inside that inline layer, will just move to next inline layer and so on, until it hits the right one and if nothing matches, then will hit implicit clean up rule, so traffic handling works way better that way.

PhoneBoy
Admin
Admin

For existing Check Point policies, not aware of a tool.
We also have not published any guidelines for converting.

If you still have a legacy App Control layer, it’s easy enough to make that an inline layer either by copy paste or converting the ordered layer to an inline one.

lmorocz
Participant

Thanks a lot, that's why I have not found anything! 
I've thought a way, but I have some questions about it too, will post it as a different after some digging. 

 

0 Kudos