This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Hainich
Advisor
‎2019-08-07 01:43 AM
Jump to solution

Inline Layer in R80.20 after Migration from R77.30

Hello,

 

after migration from R77.30 to R80.20 i want to use inline layers.

can i do an "soft-migration" and add some inline layers?

can i use ordered and inline-layers at the same time?

 

in maxpower-book i read to not use "any" object. but in R80.20 demo mode, many rules are with any.

so should i avoid any, or is it with inline-layers no problem to use any?

 

 

thanks

daniel

0 Kudos
2 Solutions

Accepted Solutions
_Val_
Admin
Admin
‎2019-08-09 02:52 AM
Jump to solution

Hi @Daniel_Hainich 

Yes, you can migrate as is and later convert some of your rules into sub-layers. We have shown an example of such conversion during one of our TechTalks earlier this year: https://community.checkpoint.com/t5/General-Topics/Migrate-to-R80-20-TechTalk/m-p/22862

 

Drill to the slides, specifically slides 66-70 are addressing that.

 

Before @Timothy_Hall can elaborate on your "any" object comment, I have to stress than rulebase order and us of specific objects in the policy has smaller significance with R80.x in comparison to R77.30, because of new rulebase lookup logic.

 

 

View solution in original post

Timothy_Hall
Legend Legend
Legend
‎2019-08-09 05:10 AM
Jump to solution

Avoiding the use of "Any" in the Destination column of rules is to help optimize the new R80.10+ Column-based Matching feature and reduce rulebase lookup overhead in the F2V path.  This recommendation applies for both ordered and inline layers.  Using literally anything other than "Any" will help, such as:

  • A negation of a group object containing all your internal networks to represent the Internet
  • Object "Internet" in APCL/URLF-enabled layers (but make sure firewall topology is completely and correctly defined)
  • Security Zone object
  • Updatable or other Dynamic object

While avoiding "Any" will help in the Destination, Source and Service fields, the Destination column is checked first by Column-based matching thus the recommendation to focus on avoiding "Any" in that column.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices
Self-Guided Video Series Coming Soon

View solution in original post

4 Replies
_Val_
Admin
Admin
‎2019-08-09 02:52 AM
Jump to solution

Hi @Daniel_Hainich 

Yes, you can migrate as is and later convert some of your rules into sub-layers. We have shown an example of such conversion during one of our TechTalks earlier this year: https://community.checkpoint.com/t5/General-Topics/Migrate-to-R80-20-TechTalk/m-p/22862

 

Drill to the slides, specifically slides 66-70 are addressing that.

 

Before @Timothy_Hall can elaborate on your "any" object comment, I have to stress than rulebase order and us of specific objects in the policy has smaller significance with R80.x in comparison to R77.30, because of new rulebase lookup logic.

 

 

Timothy_Hall
Legend Legend
Legend
‎2019-08-09 05:10 AM
Jump to solution

Avoiding the use of "Any" in the Destination column of rules is to help optimize the new R80.10+ Column-based Matching feature and reduce rulebase lookup overhead in the F2V path.  This recommendation applies for both ordered and inline layers.  Using literally anything other than "Any" will help, such as:

  • A negation of a group object containing all your internal networks to represent the Internet
  • Object "Internet" in APCL/URLF-enabled layers (but make sure firewall topology is completely and correctly defined)
  • Security Zone object
  • Updatable or other Dynamic object

While avoiding "Any" will help in the Destination, Source and Service fields, the Destination column is checked first by Column-based matching thus the recommendation to focus on avoiding "Any" in that column.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices
Self-Guided Video Series Coming Soon
Daniel_Hainich
Advisor
‎2019-08-09 05:13 AM
In response to Timothy_Hall
Jump to solution

hello,
thanks for help.
as i understood - any in source column is not a problem. only any in destination and service column?
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-08-09 05:19 AM
In response to Daniel_Hainich
Jump to solution

"Any" is not a real "problem" as far as functionality or security in any column of a policy layer, for performance optimization purposes though it can be helpful to avoid the use of "Any" primarily in the Destination column.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices
Self-Guided Video Series Coming Soon

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events