Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Hainich
Collaborator
Jump to solution

Inline Layer in R80.20 after Migration from R77.30

Hello,

 

after migration from R77.30 to R80.20 i want to use inline layers.

can i do an "soft-migration" and add some inline layers?

can i use ordered and inline-layers at the same time?

 

in maxpower-book i read to not use "any" object. but in R80.20 demo mode, many rules are with any.

so should i avoid any, or is it with inline-layers no problem to use any?

 

 

thanks

daniel

0 Kudos
2 Solutions

Accepted Solutions
_Val_
Admin
Admin

Hi @Daniel_Hainich 

Yes, you can migrate as is and later convert some of your rules into sub-layers. We have shown an example of such conversion during one of our TechTalks earlier this year: https://community.checkpoint.com/t5/General-Topics/Migrate-to-R80-20-TechTalk/m-p/22862

 

Drill to the slides, specifically slides 66-70 are addressing that.

 

Before @Timothy_Hall can elaborate on your "any" object comment, I have to stress than rulebase order and us of specific objects in the policy has smaller significance with R80.x in comparison to R77.30, because of new rulebase lookup logic.

 

 

View solution in original post

Timothy_Hall
Legend Legend
Legend

Avoiding the use of "Any" in the Destination column of rules is to help optimize the new R80.10+ Column-based Matching feature and reduce rulebase lookup overhead in the F2V path.  This recommendation applies for both ordered and inline layers.  Using literally anything other than "Any" will help, such as:

  • A negation of a group object containing all your internal networks to represent the Internet
  • Object "Internet" in APCL/URLF-enabled layers (but make sure firewall topology is completely and correctly defined)
  • Security Zone object
  • Updatable or other Dynamic object

While avoiding "Any" will help in the Destination, Source and Service fields, the Destination column is checked first by Column-based matching thus the recommendation to focus on avoiding "Any" in that column.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

4 Replies
_Val_
Admin
Admin

Hi @Daniel_Hainich 

Yes, you can migrate as is and later convert some of your rules into sub-layers. We have shown an example of such conversion during one of our TechTalks earlier this year: https://community.checkpoint.com/t5/General-Topics/Migrate-to-R80-20-TechTalk/m-p/22862

 

Drill to the slides, specifically slides 66-70 are addressing that.

 

Before @Timothy_Hall can elaborate on your "any" object comment, I have to stress than rulebase order and us of specific objects in the policy has smaller significance with R80.x in comparison to R77.30, because of new rulebase lookup logic.

 

 

Timothy_Hall
Legend Legend
Legend

Avoiding the use of "Any" in the Destination column of rules is to help optimize the new R80.10+ Column-based Matching feature and reduce rulebase lookup overhead in the F2V path.  This recommendation applies for both ordered and inline layers.  Using literally anything other than "Any" will help, such as:

  • A negation of a group object containing all your internal networks to represent the Internet
  • Object "Internet" in APCL/URLF-enabled layers (but make sure firewall topology is completely and correctly defined)
  • Security Zone object
  • Updatable or other Dynamic object

While avoiding "Any" will help in the Destination, Source and Service fields, the Destination column is checked first by Column-based matching thus the recommendation to focus on avoiding "Any" in that column.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Daniel_Hainich
Collaborator
hello,
thanks for help.
as i understood - any in source column is not a problem. only any in destination and service column?
0 Kudos
Timothy_Hall
Legend Legend
Legend

"Any" is not a real "problem" as far as functionality or security in any column of a policy layer, for performance optimization purposes though it can be helpful to avoid the use of "Any" primarily in the Destination column.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events