Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Richards
Contributor
Jump to solution

Inline Layer Cleanup Rule

I have watched the videos and fully understand the matching and "possible match" scenarios. We have a client that has an inline layer and does use Application and URL filtering in this layer. It generally works well. Now that we created a viable inline layer the client would like to change the cleanup rule to Drop from Accept. How will this impact the "possible match" scenario? My understanding is that there is a possible match on 1.3 (example below) but the initial handshake would be 1.4 (accept). What if 1.4 is a drop; does the match drop the traffic even though there is a "possible match"? Does this type of behavior mean that you would never use Application and URL filtering in an Inline Layer if you wanted a Cleanup rule to be a drop?

Rule number

Source

Destination

Services and Applications

Content

Action

1

Internal Networks

Internet

Web Services

Any

Inline Layer

1.1

Any

Any

Gambling Category

Any

Drop

1.2 

Any

Any

Any 

Excel Files

Drop

1.3

Any

Any

Streaming Services

Accept

Log and Accounting

1.4

Any

Any

Any

Accept

Log

 

 

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

The cleanup rule (whether it's a drop or accept) is always a "possible match."
Given your 1.x rules, they would all be possible matches.
Since at least one of those rules is an Accept, traffic would pass until it is classified further.
Otherwise, you get an "Early Drop" situation: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

And yes, you can make a layer with App Control/URLF enabled have a "drop" at the bottom.
You just need to make sure you accept all the apps/websites you actually want to allow as part of that layer.

View solution in original post

6 Replies
_Val_
Admin
Admin

If you change Accept to Drop on rule 1.4, the whole Layer 1 will not be matched to anything. The first packet needs to be matched to an Accept rule in the layer, before we can figure our if it is by chance related to rules 1.1-3.

My understanding is, you want to allow Web access with limitations for specific categories. This will only work if the cleanup rule as Accept action, not Drop.

0 Kudos
John_Richards
Contributor

Thanks. So for 1.1 above, which is a drop, does it still need an accept in1.4 to get categorized and then dropped?

0 Kudos
_Val_
Admin
Admin

Correct. The first packet will be matched to 1.4 and then re-matched to 1.1, once categorization is complete. 

0 Kudos
PhoneBoy
Admin
Admin

The cleanup rule (whether it's a drop or accept) is always a "possible match."
Given your 1.x rules, they would all be possible matches.
Since at least one of those rules is an Accept, traffic would pass until it is classified further.
Otherwise, you get an "Early Drop" situation: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

And yes, you can make a layer with App Control/URLF enabled have a "drop" at the bottom.
You just need to make sure you accept all the apps/websites you actually want to allow as part of that layer.

the_rock
Legend
Legend

I will tell you what I did with couple of customers who switched from Cisco to CP. Since they did not feel comfortable creating inline or ordered layer just for url/app control with any any allow at the bottom (blacklist approach, which CP recommends), we simply stuck with network ordered layer, enabled app control and urlf blades on it and created a section towards the top for those rules, thats it.

Would I recommend you have an inline layer with any any accept at the bottom, I would not. Reason is, if traffic hits parent rule of that inline layer, it will drop whatever rule it hits inside of it with action drop, but its not a good practice to have allow at the bottom of inline layer.

Its different for ordered layer, if you have url/appc blades enabled, you can use blacklist approach. I mean, technically, you could do the same with inline layer inside ordered network layer.

In your example, if parent rule 1 is matched, rules 1.1, 1.2 and 1.3 WILL be matched, regardless of what 1.4 rule action is. BUT, here is the catch...IF parent rule 1 is matched and no other child rules below it in that layer, traffic will be accepted and NOT dropped.

0 Kudos
John_Richards
Contributor

Thanks to everyone providing input. I did successfully deploy an inline internet layer (80 and 443) with URL/App control enabled. We have drop rules at the top (High Risk, Porn etc. in 1.1) and it  works well. And yes, we did deploy with an "accept" cleanup but need to change that. The SK that PhoneBoy provided nicely answers my question and I can proceed to change the cleanup rule.

0 Kudos