Create a Post
Showing results for 
Search instead for 
Did you mean: 

Inline layer vs separate rules

I finally got my firewalls all updated to R80.20 so now I'm looking at taking advantage of the layer options. One thing that occurred to me and I haven't been able to find an answer so far is how to best optimize rules when taking the inline layers into account.

For example, say I have a firewall management rule section that allows certain traffic to the firewall. One rule for SSH/HTTPS from managers, one for DHCP requests to the firewalls, one for SNMP from our monitoring servers, etc. Is there a reason not to make those an inline policy with the main policy just src: Any dst: Firewalls svc: Any? Would doing it as an inline layer speed up the firewall itself, or does it split it out into the separate layers when it pushes policy (the inline layers are just for management ease of use/reuse)?


0 Kudos
1 Reply

The three main reasons for inline layer policies are:

  • performance improvements
  • ease of re-use
  • delegation

So your example would be valid under the terms of performance improvement. Makes the biggest sense with traffic causing the most performance impact on your Firewall. Typically web-traffic. You‘ll find a good example for this in SmartConsole R80.20 Demo Mode (rules 4 -> 4.9).

0 Kudos