Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MrSaintz
Contributor
Jump to solution

Inline Layer and software blades

Hi all,

When setting up inline layers to setup for instance mobile access rules (unified mode) application/urlf rules, content, etc should the parent be enabled with all the blades I want to use at the inline layer level?

I think it would make sense, not enable at the parent level, example:

parent allowing lan to internet service http/https assign inline layer "urlf"(here I would only enable access control)

at the "urlf" inline layer specify allowed/blocked categories there (here i would enable urlf sb)

Is this proper, best practice?

Regards,

Carlos

Carlos Santos
1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor

Hi, it's not required. If you didn't enable applications at the parent layer or rule but did that in the inline layer, it will inspect applications (or content awareness etc. for that matter).

So if you plan to move your Application Control ordered layer as an inline layer to your outgoing Firewall rules, you don't have to edit the Firewall layer and start enable blades for that.

View solution in original post

12 Replies
Tomer_Sole
Mentor
Mentor

Hi, it's not required. If you didn't enable applications at the parent layer or rule but did that in the inline layer, it will inspect applications (or content awareness etc. for that matter).

So if you plan to move your Application Control ordered layer as an inline layer to your outgoing Firewall rules, you don't have to edit the Firewall layer and start enable blades for that.

Vladimir
Champion
Champion

Tomer,

If we have parent layer configured with Firewall blade only and the inline layer with APPC and URLF, can we use "Internet" object in the parent rules or should it only be used in the APPC and URLF layer?

ED
Advisor

The object "Any" in the destination column is bad because of the column-based rule-matching tehnique in R80.10+ firewalls. Therefore it's better to use "Internet" object in the parent rules. 

Vladimir
Champion
Champion

Enis,

The question was not about use of "Any" object, but if "Internet" object from the layer containing APPC & URLF blade could be used in the parent layer that DOES NOT contain APPC & URLF blade.

0 Kudos
Tal_Ben_Avraham
Employee
Employee

Internet objects are only supported for APCL\URLF layers. 

You can use security zones instead,

Tal_Ben_Avraham
Employee
Employee

In general it is good practice not to leave columns with any if possible. On APCL\URLF case on most cases applications are actually in the internet, so it is better to use Internet object.

R80.10 rule matching technique is actually not relevant here. Defining internet object (or any other network object) in a rule allows rulebase to filter rules in an earlier stage (e.g: SYN packet) allowing better security and potentially better performance.

e.g:

Src: Any Dst: Any Application: Facebook

Such rule will cause any connection being inspected to determine the application on the connection.

Src: Network_A Dst: Internet Application: Facebook

Such rule will cause only connections originated from Network_A to internet being inspected for application detection. For all other connections this rule will be filtered out on the first packet of the connection (pending other rules, this connection will be further inspected or not).

Vladimir
Champion
Champion

Tal, thank you for concise explanation.

Can you tell me how the user defined applications for Mobile Access are being treated? I.e. do we need to have APCL URLF blade enabled on the layer containing MAB, or are those apps recognized and treated differently?

0 Kudos
MrSaintz
Contributor

Hey Vladimir,

For MAB blade inline layer you don't need to have APP/URLF blade active.

Best regards,

Carlos Santos

Carlos Santos
Dor_Marcovitch
Advisor

I think it should be fine. Search for.other threads that we talked about using zone on the rulebase. 

M_Ruszkowski
Collaborator
I read / hear what you are saying. But we did this exact same thing. We had the parent layer configured for firewall only and then added an inline layer with both firewall and url/app. What we noticed is that none of the url/app rules worked, we then had to add IP based rules in the inline layer to get our access to work. I spoke with CheckPoint support and was told that we needed to activate the url/app blade in the parent layer / policy. We could not enable this, it was greyed out, because a global policy is assigned. We would have to enable this blade in the global so that it enabled it in the parent layer of the domain. FYI...We are running R80.20 on the MDS and gateways. It would make things a lot easier for us if we could get the inline layer to work without having to enable url/app in the global policy. Is there something else we need to do to get the inline layer url/app blade to work?
MrSaintz
Contributor
Hi, that's really strange, I use this setup, and i can match the inline layers.
I have customers with R80.20, MDS and SMC and both work just fine to them, there have been some issues, log related and ssl inspection, but not with urlf/appctl actually, we have a customer that uses even urlf in inline layer to prevent access to specific url for inbound traffic on one of it's web sites, it looks like you need to report this the support team...

Cheers,
Carlos Santos
Carlos Santos
0 Kudos
S__B_
Participant

👍

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events