This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tom_Cripps
Advisor
‎2019-10-02 06:45 AM

Inline Layers vs Ordered Layers - Who's more efficient

Hi,

Recent discussion here at the office, what is more efficient in regards to Layers. Is it better to more rules within a single layer, or use ordered layers to achieve the same goal.

@Tomer_Sole do you have anything to add?

0 Kudos
16 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-10-02 06:57 AM

I would assume that this largely depends on the production environment, type and amount of traffic and used blades...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-02 02:05 PM

I don't know that it makes much of a difference performance-wise.
What would be the reason for using multiple ordered layers?
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-10-02 02:23 PM
In response to PhoneBoy

To simplify and make huge policies more readable?
When large policies are setup more like zone based policies you can build a policy that is a lot simpler to look at when you can drill down into the layers where specific DMZ's are completely taken care of, in and outbound.
Regards, Maarten
0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-02 04:27 PM
In response to Maarten_Sjouw

I could see inline layers being used to create zone-based policies.
Not sure how that would work with ordered layers.
0 Kudos
Tom_Cripps
Advisor
‎2019-10-03 03:14 AM
In response to PhoneBoy

Hi Daemon,

We currently have an inline layer with two rules at the end of it currently serving as a catch all. My plan was to either include within the layer which is accepted then have a final clean up rule with Deny all of other traffic, or make the catch all go to another and within there I then govern access. 

Make sense?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-03 10:02 AM
In response to Tom_Cripps

Keep in mind if you use Ordered Layers, the traffic must hit an Accept rule in EACH ordered layer.
For the use case you describe, I'm not seeing where Ordered Layers makes sense.
Tom_Cripps
Advisor
‎2019-10-07 01:52 AM
In response to PhoneBoy

I see to have been confused with descriptions, see my later comment. A layer within a layer is still an inline layer, that I wasn't aware of.

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2019-10-03 11:54 AM

Inline layers are the beauty of R80.x, one of the many new features why it's better than previous versions. With ordered layers there is not much change to the earlier behavior in R77.x where you had separate firewall and application control policies.

With inline layers you can simplify complex unified policies by segmenting them into separate sub-policies. Use security zones in parent rules.

So, to answer your question inline layers are much more efficient way of creating policies. By efficiency I don't mean only the CPU power, but the simplified way building your security policies.

0 Kudos
Tom_Cripps
Advisor
‎2019-10-04 08:13 AM
In response to Lari_Luoma

Is a layer within an Inline layer classed as an Inline layer still?

0 Kudos
phlrnnr
Advisor
‎2019-10-04 08:42 AM
In response to Tom_Cripps

Yes, an inline layer within an inline layer is also an inline layer.

(Say that 3 times fast)

Tom_Cripps
Advisor
‎2019-10-07 01:53 AM
In response to phlrnnr

Ah, that's where I'm getting confused then.

0 Kudos
phlrnnr
Advisor
‎2019-10-07 07:17 AM
In response to Tom_Cripps

It is my understanding that once traffic matches an inline layer, you will never leave that inline layer.  You will either match a rule in the layer, or be dropped / accepted by the Cleanup rule at the bottom of the inline layer.  However, you can match a generic inline layer (eg. All traffic to the Internet) and then match another (more specific) inline layer that is inside of the generic one (eg. Authenticated users to the Internet).  However, the same rules apply.  You cannot leave the inline layer -- you must match a rule in that layer, or get dropped/accepted by the Cleanup rule at the bottom of the layer.

I hope that helps!

FedericoMeiners
Advisor
‎2019-10-04 08:23 AM
In response to Lari_Luoma

I guess that I misunderstood the meaning of ordered layers.

The performance impact is huge, the following graphic is from a customer where we migrated ordered layers from Access and Application control to Inline layers with Access + Application control.

Active blades: IPS, AV, AB, URLF, AppCtrl, HTTPS Inspection / Distributed deployment - Cluster of x2 5600 appliances with R80.10

Blue is memory usage, I guess that you can clearly see the before/after.

WhatsApp Image 2019-10-04 at 12.20.09.jpeg

 

____________
https://www.linkedin.com/in/federicomeiners/
phlrnnr
Advisor
‎2019-10-04 08:38 AM
In response to FedericoMeiners

That looks like a memory leak being reset at time of reboot 😀

FedericoMeiners
Advisor
‎2019-10-04 08:40 AM
In response to phlrnnr

Indeed but it isn't 🤣 I can assure you that memory consumption has lowered like 50% average.

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-10-04 09:33 PM
In response to FedericoMeiners

The reduction in memory usage shown on the graph was due to a reboot, not ordered vs. inline layers.  Notice the small gap in the graph lines just before the big drop, that was while the system was rebooting and until the first set of graph data was written.  This drop in memory usage is typical after a reboot since the longer a system is up, the more memory is utilized for buffering/caching of disk operations (up to a certain point that will not adversely impact the system of course).   A reboot starts the memory used for buffering/caching back at a low value and it slowly grows again.

As stated in my Max Power book, I don't see a huge difference in ordered vs. inline layers as far as rulebase lookup overhead on the firewall in the F2F path (R80.10 and earlier) or the F2V path (R80.20+).  It is on my to-do list to take a closer look at this in near future and try to quantify the difference a bit more.  Inline layers can most definitely be easier to manage than ordered layers, and consume less of an administrator's time trying to find and modify rules in day-to-day operations.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events