This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Leon_Noble
Participant
‎2025-12-17 04:12 AM
Jump to solution

Inline Layer with Access Roles

I am looking to implement an inline layer that can be used across multiple policies which apply to end users. The end users can come via different GWs and we need a consistent policy across multlple gateways.

My main question relates to access roles and how this works when you have the initial rule of the inline policy as a group of networks from which users come as the src.

Within the access roles, the same group is defined as a specific network. Can I still use the access role within the inline policy that has the initial rule with the group as the source?

So first rule

src: USERS-GROUP

dst: any

Action: Inline Layer - USER-POLICY

Sub rule

src: HR-USERS (Access Role) - Specific Network USERS-GROUP

dst: HR-SYSTEM

svc: HTTPS

 

Will the sub rule still apply so long as the source of the user will still be within the USERS-GROUP defined on the first rule?

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Diamond
MVP Diamond
‎2025-12-17 05:23 AM
Jump to solution

Keep in mind, the way inline layers work is that if traffic hits parent rule (ie main inline layer rule), it will then check all the sub-rules (child rules) within that layer.

So based on example you gave, seems to me that would indeed work fine.

Best,
Andy

View solution in original post

7 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-12-17 05:23 AM
Jump to solution

Keep in mind, the way inline layers work is that if traffic hits parent rule (ie main inline layer rule), it will then check all the sub-rules (child rules) within that layer.

So based on example you gave, seems to me that would indeed work fine.

Best,
Andy
the_rock
MVP Diamond
MVP Diamond
‎2025-12-17 05:36 AM
In response to the_rock
Jump to solution

@Leon_Noble 

I attached short video that I took from my lab, hope it makes sense.

 

(view in My Videos)

 

Best,
Andy
0 Kudos
Leon_Noble
Participant
‎2025-12-17 05:37 AM
In response to the_rock
Jump to solution

Thanks, this would be my assumption that so long as connection was coming from a source based on the parent rule, the access role would be applied given that it contains the same source addresses. 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-17 05:38 AM
In response to Leon_Noble
Jump to solution

Exactly. All you have to remember is that,like with any fw vendor on the planet probably, fact is once traffic hits rule where it gets dropped, there is no more checking done, regardless if you had 5 or 5 million rules : - )

Best,
Andy
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-17 05:45 AM
In response to Leon_Noble
Jump to solution

I took some screenshots as well from the lab. Key is that IF you have ordered layers, just remember traffic has to be ACCEPTED on every layer, otherwise, it wont work, regardless if you have it enabled on online one.

Best,
Andy
lab-policy.docx
0 Kudos
Leon_Noble
Participant
‎2025-12-17 06:23 AM
In response to the_rock
Jump to solution

So the any any accept for the default cleanup rule of a layer is just to pass it on to the next later, rather than an allow the traffic through?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-17 06:24 AM
In response to Leon_Noble
Jump to solution

Its technically both. If you think about it, say if you have inline layer and child rule is any any drop, traffic hits that inline layer, it will get dropped, no more checking, thats it.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events