This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2016-04-26 09:33 AM
Jump to solution

Inline Layers

I know that inline layers are not supported for pre-R80 gateways, but can I even create them (for testing purposes) in R80 SmartConsole? It seems that only ordered layers are supported now?

1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor
‎2016-04-27 12:40 AM
Jump to solution

Please see the topics Layers in R80 and How do I create an Access Policy for Pre-R80 GWs?  for the list of the supported features.

R80 Management has the support for inline layers, however like you said, when using them for a pre-R80.10 GW, install policy will fail.

Setting an inline layer is done by clicking a rule's action and selecting the "Inline Layer" option. You can either select an existing layer (if it's marked as shared) or create a new one.

set-inline-layer.png

The way that inline layers work is the following: When the connection matches a parent rule that its action is an inline layer, the inline layer rules get evaluated.

Every inline layer (and also every layer) has an implicit cleanup rule that is either "any any accept" or "any any drop" set in its properties under "advanced". This means that once you go inside an inline layer, you cannot go outside back to the main layer, therefore rules in the inline layer cannot block rules that reside below the parent rule that holds them. Giving an admin the permission to only edit an inline layer will not affect the main layer that holds it.

To see the list of all layers, open the Manage Layers view from this location:

open-manage-layers.png

View solution in original post

0 Kudos
3 Replies
Tomer_Sole
Mentor
Mentor
‎2016-04-27 12:40 AM
Jump to solution

Please see the topics Layers in R80 and How do I create an Access Policy for Pre-R80 GWs?  for the list of the supported features.

R80 Management has the support for inline layers, however like you said, when using them for a pre-R80.10 GW, install policy will fail.

Setting an inline layer is done by clicking a rule's action and selecting the "Inline Layer" option. You can either select an existing layer (if it's marked as shared) or create a new one.

set-inline-layer.png

The way that inline layers work is the following: When the connection matches a parent rule that its action is an inline layer, the inline layer rules get evaluated.

Every inline layer (and also every layer) has an implicit cleanup rule that is either "any any accept" or "any any drop" set in its properties under "advanced". This means that once you go inside an inline layer, you cannot go outside back to the main layer, therefore rules in the inline layer cannot block rules that reside below the parent rule that holds them. Giving an admin the permission to only edit an inline layer will not affect the main layer that holds it.

To see the list of all layers, open the Manage Layers view from this location:

open-manage-layers.png

0 Kudos
Mohammed_Omin_B
Contributor
‎2019-02-20 10:51 PM
In response to Tomer_Sole
Jump to solution

Query: when we add the Target gateway in the InLine layer then we need to explicitly add the same targets in the rules inside? I think we need not as the InLine says for which target the rules are also even if we add any other gateway as the target inside then it will not work (traffic will not match the Inline).

Is my understanding correct?

Thanks

PhoneBoy
Admin
Admin
‎2019-02-23 06:45 PM
In response to Mohammed_Omin_B
Jump to solution

No, that is not necessary to do.

In fact, it would be redundant to do so and make it difficult to reuse the layer on a different gateway.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top