This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Richards
Contributor
‎2021-04-21 11:26 AM

Inline Layers - Application Control

I am currently working with a client who has a very large rule base. We are now creating Inline Layers in an R80.40 environment. In the current rule base they have Access Control and Application Control layers. The inline layer I created has both Access Control and Application and URL filtering as part of the layer. I was hoping to do all the application control within the layer where possible. I was also under the impression that once you entered the layer you did not leave. We did implement a new inline layer and it does work well. The problem is the the traffic that goes into the inline layer still goes through the normal application layer.  In the logs you see the Matched rule as 259 (Parent inline layer) > 259.7 (child and is accept) > 78 (Application layer rule and is a deny). I do have the same application (VNC) in the inline layer rule. Is there any way to do all the Application control in the inline layer? Thanks

 

 

 

0 Kudos
4 Replies
the_rock
Legend
Legend
‎2021-04-21 01:46 PM

You can do that, but personally, I would not recommend it and here is why. CP has an sk (cant recall the number now, but if you search app control best practices, it will come up) where it says best is to have any any allow at the bottom of the rulebase. In my opinion, thats just not smart at all...because, in reality, if your app control is say ordered layer, instead of inline, then EVERYTHING will get accepted, even if supposed to be dropped in access layer.

 

Here is what I did with one customer and it works amazing. We simply created section on the top of the rulebase with geo, app control and url filtering and beneath that, we set up bunch of inline layers and no issues at all.

I cant say that would work 100% for you, but I dont see why not. 

0 Kudos
Chris_Hoff
Contributor
‎2021-04-21 02:50 PM

All the layers of a policy have to be evaluated, regardless if there are inline policies or not. Even though once you get into an inline policy it won't "leave", that is referring to the current layer. After that layer has been evaluated, it still has to move on to the next layer. The only way to keep from evaluating additional layers is to implement that layer into the existing layer/inline policy and then remove the additional layer. 

Hope that makes sense. 

PhoneBoy
Admin
Admin
‎2021-04-21 03:39 PM

A flow must match an Accept rule in each layer the traffic is evaluated against or the traffic will be dropped.
For ordered layers, this means an Accept rule must match in each layer.
If traffic hits an inline layer (i.e. because it matches a parent rule), then the traffic must hit an Accept rule there as well.
Every layer (including inline ones) has an implicit rule at the end (drop or allow, can be configured per layer).

And yes, you can do Application Control in any/all layers as you desire.
But you have to take into account all the layers as above.
If you want to move your App Control rules to an inline layer, you can do that.
It also means you need to remove or modify the ordered layer so the traffic is accepted there as well.

Hope that makes sense.

0 Kudos
John_Richards
Contributor
‎2021-04-22 02:26 PM
In response to PhoneBoy

Thanks for all the feedback. My interpretation: I must have all the application layer rules built into either the ordered or inline rules within Access Control and then remove the Application Layer. Currently any accept traffic (whether ordered or inline) will be evaluated in the Application Layer even though I have App and URL filtering enabled on the Inline rules (so it happens twice). Somewhat confusing but makes some sense.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events