Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kishin_Fatnani
Participant
Participant
Jump to solution

How are implied rules implemented with a multi-layered policy?

When an option is selected in the Global Properties / Firewall page, certain rules are created that get merged with each policy installed to any gateway. In case of multi-layered policies, does this merger happen with each layer defined in a policy or is it just to the first ordered layer? for e.g. if "Accept ICMP requests" is selected with "Before Last", will the ICMP rule be inserted only in the first layer of each policy or in each layer.

In case the answer is first layer, then what if the first layer is shared and used as last layer in another policy.

0 Kudos
1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor

I got a clarification regarding implied rules. This is the more correct behaviour:

Implied rules are "attached" during install policy, to the relevant context.

The implied rules that are selected to appear "first", are added to the first ordered layer in the policy.

The implied rules that are selected to appear "before last" or "last", are added to all the layers.

Let’s consider examples below:

2 ordered layers:

*Accept icmp defined as ‘before last’

Example 1:

Layer 1:

  1. 1. Any any any drop

Layer 2:

  1. 1. Any any any drop

In above example all icmp connection will be matched on ‘accept icmp’ implied rule.

Example 2:

Layer 1:

  1. 1. Any any any drop

Layer 2:

  1. 1. src=10.0.0.1, Drop
  2. 2. Any any any drop

In above example ICMP packets from 10.0.0.1 will match implied rule on layer 1, but match explicit rule 1 on layer 2.

In addition, every layer has the "implicit cleanup rule" in its properties. For Pre-R80.10 Gateways, in every policy, the first layer must have its implicit cleanup rule set to "drop" and for the second ordered layer the implicit cleanup rule must be set to "accept". Usually, these are the defaults when creating policies and layers, so the admin doesn't have to worry about them, unless it is shown as the reason for his policy installation failure.

View solution in original post

0 Kudos
6 Replies
Tomer_Sole
Mentor
Mentor

Implied rules are "attached" during install policy, to the relevant context. All the Implied Rules from the global properties go to the first ordered layer in the policy.

In addition, every layer has the "implicit cleanup rule" in its properties. For Pre-R80.10 Gateways, in every policy, the first layer must have its implicit cleanup rule set to "drop" and for the second ordered layer the implicit cleanup rule must be set to "accept". Usually, these are the defaults when creating policies and layers, so the admin doesn't have to worry about them, unless it is shown as the reason for his policy installation failure.

0 Kudos
Kishin_Fatnani
Participant
Participant

Thanks Tomer. This means that traffic allowed by implied rules (last or before last) must also be allowed in the all other layers (2 onwards) either by an explicit rule or by implicit cleanup rule with accept action. If any layer, other than first, has an explicit cleanup rule then these implied rules will not be useful.

Also I see that the "First" implied rules work exclusively, i.e. no layer rules are matched if one of the "First" implied rules matches. Is that correct?

0 Kudos
Tomer_Sole
Mentor
Mentor

Since the implied rules apply for the first layer in each policy, then if matched, ones that are defined to be "first" will apply before evaluating any other rules from the layers.

0 Kudos
Kishin_Fatnani
Participant
Participant

Thats right Tomer, but the difference I see is that if an implied rule defined as last or before last is matched, still rules in the other layers after this are inspected, however this is not the case for implied rules defined as first.

0 Kudos
Tomer_Sole
Mentor
Mentor

I have forwarded Kishin's case to R&D. This seems to be a problem for the current version of R80.10 Pre-EA Gateways.

Tomer_Sole
Mentor
Mentor

I got a clarification regarding implied rules. This is the more correct behaviour:

Implied rules are "attached" during install policy, to the relevant context.

The implied rules that are selected to appear "first", are added to the first ordered layer in the policy.

The implied rules that are selected to appear "before last" or "last", are added to all the layers.

Let’s consider examples below:

2 ordered layers:

*Accept icmp defined as ‘before last’

Example 1:

Layer 1:

  1. 1. Any any any drop

Layer 2:

  1. 1. Any any any drop

In above example all icmp connection will be matched on ‘accept icmp’ implied rule.

Example 2:

Layer 1:

  1. 1. Any any any drop

Layer 2:

  1. 1. src=10.0.0.1, Drop
  2. 2. Any any any drop

In above example ICMP packets from 10.0.0.1 will match implied rule on layer 1, but match explicit rule 1 on layer 2.

In addition, every layer has the "implicit cleanup rule" in its properties. For Pre-R80.10 Gateways, in every policy, the first layer must have its implicit cleanup rule set to "drop" and for the second ordered layer the implicit cleanup rule must be set to "accept". Usually, these are the defaults when creating policies and layers, so the admin doesn't have to worry about them, unless it is shown as the reason for his policy installation failure.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events