Re: Inline Layers - Application Control

John_Richards · ‎2021-04-21

I am currently working with a client who has a very large rule base. We are now creating Inline Layers in an R80.40 environment. In the current rule base they have Access Control and Application Control layers. The inline layer I created has both Access Control and Application and URL filtering as part of the layer. I was hoping to do all the application control within the layer where possible. I was also under the impression that once you entered the layer you did not leave. We did implement a new inline layer and it does work well. The problem is the the traffic that goes into the inline layer still goes through the normal application layer. In the logs you see the Matched rule as 259 (Parent inline layer) > 259.7 (child and is accept) > 78 (Application layer rule and is a deny). I do have the same application (VNC) in the inline layer rule. Is there any way to do all the Application control in the inline layer? Thanks

the_rock · ‎2021-04-21

You can do that, but personally, I would not recommend it and here is why. CP has an sk (cant recall the number now, but if you search app control best practices, it will come up) where it says best is to have any any allow at the bottom of the rulebase. In my opinion, thats just not smart at all...because, in reality, if your app control is say ordered layer, instead of inline, then EVERYTHING will get accepted, even if supposed to be dropped in access layer.

Here is what I did with one customer and it works amazing. We simply created section on the top of the rulebase with geo, app control and url filtering and beneath that, we set up bunch of inline layers and no issues at all.

I cant say that would work 100% for you, but I dont see why not.

Best,
Andy

Chris_Hoff · ‎2021-04-21

All the layers of a policy have to be evaluated, regardless if there are inline policies or not. Even though once you get into an inline policy it won't "leave", that is referring to the current layer. After that layer has been evaluated, it still has to move on to the next layer. The only way to keep from evaluating additional layers is to implement that layer into the existing layer/inline policy and then remove the additional layer.

Hope that makes sense.

PhoneBoy · ‎2021-04-21

A flow must match an Accept rule in each layer the traffic is evaluated against or the traffic will be dropped.
For ordered layers, this means an Accept rule must match in each layer.
If traffic hits an inline layer (i.e. because it matches a parent rule), then the traffic must hit an Accept rule there as well.
Every layer (including inline ones) has an implicit rule at the end (drop or allow, can be configured per layer).

And yes, you can do Application Control in any/all layers as you desire.
But you have to take into account all the layers as above.
If you want to move your App Control rules to an inline layer, you can do that.
It also means you need to remove or modify the ordered layer so the traffic is accepted there as well.

Hope that makes sense.

John_Richards · ‎2021-04-22

Thanks for all the feedback. My interpretation: I must have all the application layer rules built into either the ordered or inline rules within Access Control and then remove the Application Layer. Currently any accept traffic (whether ordered or inline) will be evaluated in the Application Layer even though I have App and URL filtering enabled on the Inline rules (so it happens twice). Somewhat confusing but makes some sense.

Are you a member of CheckMates?

Inline Layers - Application Control