- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Inline Layer Cleanup Rule
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Inline Layer Cleanup Rule
I have watched the videos and fully understand the matching and "possible match" scenarios. We have a client that has an inline layer and does use Application and URL filtering in this layer. It generally works well. Now that we created a viable inline layer the client would like to change the cleanup rule to Drop from Accept. How will this impact the "possible match" scenario? My understanding is that there is a possible match on 1.3 (example below) but the initial handshake would be 1.4 (accept). What if 1.4 is a drop; does the match drop the traffic even though there is a "possible match"? Does this type of behavior mean that you would never use Application and URL filtering in an Inline Layer if you wanted a Cleanup rule to be a drop?
Rule number | Source | Destination | Services and Applications | Content | Action |
1 | Internal Networks | Internet | Web Services | Any | Inline Layer |
1.1 | Any | Any | Gambling Category | Any | Drop |
1.2 | Any | Any | Any | Excel Files | Drop |
1.3 | Any | Any | Streaming Services | Accept | Log and Accounting |
1.4 | Any | Any | Any | Accept | Log |
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The cleanup rule (whether it's a drop or accept) is always a "possible match."
Given your 1.x rules, they would all be possible matches.
Since at least one of those rules is an Accept, traffic would pass until it is classified further.
Otherwise, you get an "Early Drop" situation: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
And yes, you can make a layer with App Control/URLF enabled have a "drop" at the bottom.
You just need to make sure you accept all the apps/websites you actually want to allow as part of that layer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you change Accept to Drop on rule 1.4, the whole Layer 1 will not be matched to anything. The first packet needs to be matched to an Accept rule in the layer, before we can figure our if it is by chance related to rules 1.1-3.
My understanding is, you want to allow Web access with limitations for specific categories. This will only work if the cleanup rule as Accept action, not Drop.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. So for 1.1 above, which is a drop, does it still need an accept in1.4 to get categorized and then dropped?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct. The first packet will be matched to 1.4 and then re-matched to 1.1, once categorization is complete.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The cleanup rule (whether it's a drop or accept) is always a "possible match."
Given your 1.x rules, they would all be possible matches.
Since at least one of those rules is an Accept, traffic would pass until it is classified further.
Otherwise, you get an "Early Drop" situation: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
And yes, you can make a layer with App Control/URLF enabled have a "drop" at the bottom.
You just need to make sure you accept all the apps/websites you actually want to allow as part of that layer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will tell you what I did with couple of customers who switched from Cisco to CP. Since they did not feel comfortable creating inline or ordered layer just for url/app control with any any allow at the bottom (blacklist approach, which CP recommends), we simply stuck with network ordered layer, enabled app control and urlf blades on it and created a section towards the top for those rules, thats it.
Would I recommend you have an inline layer with any any accept at the bottom, I would not. Reason is, if traffic hits parent rule of that inline layer, it will drop whatever rule it hits inside of it with action drop, but its not a good practice to have allow at the bottom of inline layer.
Its different for ordered layer, if you have url/appc blades enabled, you can use blacklist approach. I mean, technically, you could do the same with inline layer inside ordered network layer.
In your example, if parent rule 1 is matched, rules 1.1, 1.2 and 1.3 WILL be matched, regardless of what 1.4 rule action is. BUT, here is the catch...IF parent rule 1 is matched and no other child rules below it in that layer, traffic will be accepted and NOT dropped.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to everyone providing input. I did successfully deploy an inline internet layer (80 and 443) with URL/App control enabled. We have drop rules at the top (High Risk, Porn etc. in 1.1) and it works well. And yes, we did deploy with an "accept" cleanup but need to change that. The SK that PhoneBoy provided nicely answers my question and I can proceed to change the cleanup rule.
