This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
PhoneBoy
Admin
Admin
‎2016-02-01 05:41 PM

Layered policies and pre-R80 gateways

Jump to solution

Given that a lot of the functionality that layers provides won't actually be available until R80 Gateway is released, I'm trying to understand what benefits someone might achieve by using layered policies before R80 Gateway becomes available, if they even can.

I understand some of the R7x functionality today (e.g. IPS, Threat Prevention, App Control/URL Filtering) will map to fixed layers in the new policy-layers that can be changed once R80 gateway becomes available.

Can anyone explain to me at a high level how this works?

1 Solution

Accepted Solutions
Tomer_Sole
Employee Alumnus
Employee Alumnus
‎2016-02-01 10:12 PM

Jump to solution

Please find the list of functionality that is given for Pre-R80 and R80.10 Gateways in the thread Layers in R80 . There are new benefits for all Gateway versions with layers, such as permissions per layer, and sharing of the same layer across multiple policies. The linked topic also explains how layers work in both Access Control and Threat Prevention worlds.

View solution in original post

5 Replies
Tomer_Sole
Employee Alumnus
Employee Alumnus
‎2016-02-01 10:12 PM

Jump to solution

Please find the list of functionality that is given for Pre-R80 and R80.10 Gateways in the thread Layers in R80 . There are new benefits for all Gateway versions with layers, such as permissions per layer, and sharing of the same layer across multiple policies. The linked topic also explains how layers work in both Access Control and Threat Prevention worlds.

PhoneBoy
Admin
Admin
‎2016-02-02 06:09 AM
In response to Tomer_Sole

Jump to solution
Read that post after I posted this.

That definitely helped. 

Assuming all blades, can you explain what order the different layers are evaluated in?

Tomer_Sole
Employee Alumnus
Employee Alumnus
‎2016-02-03 02:38 AM
In response to PhoneBoy

Jump to solution

For Access Control, Ordered layers are enforced this way: When the Gateway matches a rule in a layer, it starts to evaluate the rules in the next layer.

For Threat Prevention, the different layers are evaluated on top of each other: Threat Prevention completes IPS in the same scopes. If there are contradicting rules in the different layers (functionality available for R80.10 Gateways and above), earliest layers take precedence.

PhoneBoy
Admin
Admin
‎2016-02-03 08:26 AM
In response to Tomer_Sole

Jump to solution

That doesn't answer my question.

I'm asking specifically about the individual layers (i.e. what do we call them) and the exact order they are evaluated in (assuming I match an "allow" in each one).

Tomer_Sole
Employee Alumnus
Employee Alumnus
‎2016-03-03 08:48 AM

Jump to solution

Supposed that we have the 3 ordered layers as configured in the images below.

If a user inside Network51 attempts to access the IIS_Host through a gambling site in HTTPS, this is what the Gateway will evaluate:

- first, it will evaluate the rules in layer 1 "Network" and find an accept match at rule 3.

- then, because this is an "accept" match, it will evaluate the rules in layer 2 "Applications". It will match at the drop rule 1. Because this is a "drop" rule, the next ordered layers will not be evaluated at all and the connection will be dropped.

Hope this helps

network.png  applications.png  security-zones.png