Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
johnnyringo
Contributor

Firewall Policy Layers & Implicit Cleanup Actions

I'm working to create policies that utilize layers, so that some layers can be shared to multiple policies.  My breakdown is as follows:

  1. The first layer contains rules related to management (SNMP, SSH, etc) and be included in all policies
  2. The second layer has more specific rules related to the business unit and be included in some policies
  3. The third layer has very specific rules related to a particular service/data center etc and be included in a single policy

I've built the layers but notice if I set any of the layers to "Implicit cleanup action = Drop", it results in only rules for that layer working, with all other traffic getting dropped.  I can fix that by setting all layers to "Accept", but this results in the firewall policy allowing all traffic, which of course I don't want.

What is the solution to this problem?   I would think that having "Accept" on the first two rules and then "Drop" on the last rule would do the trick, but perhaps I'm not understanding how multiple layers get processed.

Running R80.30 Take 219 on both the gateways and the network policy management server.

0 Kudos
4 Replies
Sigbjorn
Advisor

It sounds like your attempting to use a layered policy, inwhich case it does not work in the fashion your attempting to configure it.

When using layered policies, all layers need to accept the traffic. This is like the "old" policy with a Network layer and an Application layer.

You should read up on inline-layers, then you can have a layer that processes the traffic somewhat like you describe, but you should note that you need rule that send traffic to an inline layer, and once the traffic is passed to that inline layer, it will not return to the original policy or other inline layers.

0 Kudos
johnnyringo
Contributor

Thanks for the reply.  In the other threads I see mention of "Inline Layers" but am not understanding how these differ from regular layers.

0 Kudos
Sigbjorn
Advisor

Very short summary of the inline layers:

On any given rule, you can select a new layer as an action instead of Accept/Drop, if you do, that policy is done evaluating the traffic, and its handed off to the new inline layer to make a decision.

Here's an example where all traffic from Net_10.10.0.0 to Net_10.155.3.0 will be processed by the inline layer MgmtLayer, this layer will in turn only accept ssh traffic and drop the rest. Once the traffic is handed over to the inline layer, it will not proceed with the rest of the main policy, so in this example Rule 6 will fail the verification process as its hidden by rule 3.

cpinline.PNG

I would suggest to read a little in the admin guide for better explanations.

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_SecurityManagement_AdminGuid...

PhoneBoy
Admin
Admin

In addition to the product documentation, the following thread might also be helpful: https://community.checkpoint.com/t5/Policy-Management/Policy-Layers-in-R80-x/m-p/1717#M74 

0 Kudos