Solved: Re: Inline Layer and software blades

MrSaintz · ‎2018-03-28

Hi all,

When setting up inline layers to setup for instance mobile access rules (unified mode) application/urlf rules, content, etc should the parent be enabled with all the blades I want to use at the inline layer level?

I think it would make sense, not enable at the parent level, example:

parent allowing lan to internet service http/https assign inline layer "urlf"(here I would only enable access control)

at the "urlf" inline layer specify allowed/blocked categories there (here i would enable urlf sb)

Is this proper, best practice?

Regards,

Carlos

Carlos Santos

Tomer_Sole · ‎2018-03-28

Hi, it's not required. If you didn't enable applications at the parent layer or rule but did that in the inline layer, it will inspect applications (or content awareness etc. for that matter).

So if you plan to move your Application Control ordered layer as an inline layer to your outgoing Firewall rules, you don't have to edit the Firewall layer and start enable blades for that.

View solution in original post

Tomer_Sole · ‎2018-03-28

Hi, it's not required. If you didn't enable applications at the parent layer or rule but did that in the inline layer, it will inspect applications (or content awareness etc. for that matter).

So if you plan to move your Application Control ordered layer as an inline layer to your outgoing Firewall rules, you don't have to edit the Firewall layer and start enable blades for that.

Vladimir · ‎2018-03-28

Tomer,

If we have parent layer configured with Firewall blade only and the inline layer with APPC and URLF, can we use "Internet" object in the parent rules or should it only be used in the APPC and URLF layer?

ED · ‎2018-03-29

The object "Any" in the destination column is bad because of the column-based rule-matching tehnique in R80.10+ firewalls. Therefore it's better to use "Internet" object in the parent rules.

Vladimir · ‎2018-03-29

Enis,

The question was not about use of "Any" object, but if "Internet" object from the layer containing APPC & URLF blade could be used in the parent layer that DOES NOT contain APPC & URLF blade.

Tal_Ben_Avraham · ‎2018-04-01

Internet objects are only supported for APCL\URLF layers.

You can use security zones instead,

Tal_Ben_Avraham · ‎2018-04-01

In general it is good practice not to leave columns with any if possible. On APCL\URLF case on most cases applications are actually in the internet, so it is better to use Internet object.

R80.10 rule matching technique is actually not relevant here. Defining internet object (or any other network object) in a rule allows rulebase to filter rules in an earlier stage (e.g: SYN packet) allowing better security and potentially better performance.

e.g:

Src: Any Dst: Any Application: Facebook

Such rule will cause any connection being inspected to determine the application on the connection.

Src: Network_A Dst: Internet Application: Facebook

Such rule will cause only connections originated from Network_A to internet being inspected for application detection. For all other connections this rule will be filtered out on the first packet of the connection (pending other rules, this connection will be further inspected or not).

Vladimir · ‎2018-04-01

Tal, thank you for concise explanation.

Can you tell me how the user defined applications for Mobile Access are being treated? I.e. do we need to have APCL URLF blade enabled on the layer containing MAB, or are those apps recognized and treated differently?

MrSaintz · ‎2018-04-04

Hey Vladimir,

For MAB blade inline layer you don't need to have APP/URLF blade active.

Best regards,

Carlos Santos

Dor_Marcovitch · ‎2018-03-29

I think it should be fine. Search for.other threads that we talked about using zone on the rulebase.

M_Ruszkowski · ‎2019-09-10

I read / hear what you are saying. But we did this exact same thing. We had the parent layer configured for firewall only and then added an inline layer with both firewall and url/app. What we noticed is that none of the url/app rules worked, we then had to add IP based rules in the inline layer to get our access to work. I spoke with CheckPoint support and was told that we needed to activate the url/app blade in the parent layer / policy. We could not enable this, it was greyed out, because a global policy is assigned. We would have to enable this blade in the global so that it enabled it in the parent layer of the domain. FYI...We are running R80.20 on the MDS and gateways. It would make things a lot easier for us if we could get the inline layer to work without having to enable url/app in the global policy. Is there something else we need to do to get the inline layer url/app blade to work?

MrSaintz · ‎2019-09-23

Hi, that's really strange, I use this setup, and i can match the inline layers.
I have customers with R80.20, MDS and SMC and both work just fine to them, there have been some issues, log related and ssl inspection, but not with urlf/appctl actually, we have a customer that uses even urlf in inline layer to prevent access to specific url for inbound traffic on one of it's web sites, it looks like you need to report this the support team...

Cheers,
Carlos Santos

Carlos Santos

S__B_ · ‎2019-09-10

👍

Are you a member of CheckMates?

Inline Layer and software blades