Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dehaasm
Collaborator
Jump to solution

Maximum layers support 231

We currently use more then 231 layers and are unable to install the policy it seems not to be supported.

Are there any ways to increase this value perhaps in R81.20 or perhaps on the roadmap?

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

I thought this limit was higher (251), but this goes back to R80.10.
The current limit appears to be 231: https://support.checkpoint.com/results/sk/sk171551

In the last several years, this question has come up only a few times.
That leads me to believe few customers actually encounter this limit.
Therefore, I'm not sure there are any specific plans to increase it.

What is the precise use case for this many layers?

View solution in original post

12 Replies
PhoneBoy
Admin
Admin

I thought this limit was higher (251), but this goes back to R80.10.
The current limit appears to be 231: https://support.checkpoint.com/results/sk/sk171551

In the last several years, this question has come up only a few times.
That leads me to believe few customers actually encounter this limit.
Therefore, I'm not sure there are any specific plans to increase it.

What is the precise use case for this many layers?

dehaasm
Collaborator

The use case is basically to divide the policies into specific flows, for example each partner has its own layer, user flows to specific vlans/security domains have dedicated layers, application flow for each environment (DEV, TEST, QA and PROD) have specific layers. Within each layer a customer can easily go into blocking more for the specific layer/traffic flow. It also makes the policy very organized like a explorer folder structure.

I agree it is perhaps a lot of layers but I don't understand what would be the technical limitation on the system, i guess something that could be easily extended to lets say 1000.

0 Kudos
PhoneBoy
Admin
Admin

Seems like a sensible approach to me. 
Tagging @Tomer_Noy for visibility of this interesting use case.

I could see there being limits in both the gateway and the management related to this, making it a less simple matter to increase the limit.
Recommend approaching your local Check Point office with this RFE.

0 Kudos
dehaasm
Collaborator

We are able to create more than 231 layers on the SMS without an issue, it seems that the gateway does not allow it and therefor does not load the policy with installation error. Sure we can contact our local SE contact to consider this and address a RFE.

0 Kudos
Tomer_Noy
Employee
Employee

The layer number limitation is indeed on the gateway side. Adding @Nachum_Moshe for visibility.

An RFE is probably a good way to promote such a request.

0 Kudos
Peter_Thome
Participant

Is there a way to get the number of layers in use in a policy Package without counting manually ?

KR, Peter

 

0 Kudos
Alex-
Leader Leader
Leader

 

 ACL=$(mgmt_cli -r true show-access-layers -f json | jq -r '.total');TPL=$(mgmt_cli -r true show-threat-layers -f json | jq -r '.total');HIL=$(mgmt_cli -r true show-https-layers -f json | jq -r '.total');echo "$ACL Access layers, $TPL Threat Prevention layers, $HIL HTTPS Inspection layers. "; echo -e "Total $(expr $ALC + $TPL + $HIL)"

 

 

 

0 Kudos
PhoneBoy
Admin
Admin

That will only give you the number of top-level "Ordered" layers.
To find the inline layers in use, you will have to parse the policy layer(s) involved.

0 Kudos
Alex-
Leader Leader
Leader

I have an SMS with only inline layers in the Access policies and no ordered layer and with the show-x-layers I see them all in the JSON output with show-x-layers.

[Expert@SomeSMS:0]# ACL=$(mgmt_cli -r true show-access-layers -f json | jq -r '.total');TPL=$(mgmt_cli -r true show-threat-layers -f json | jq -r '.total');HIL=$(mgmt_cli -r true show-https-layers -f json | jq -r '.total');echo "$ACL Access layers, $TPL Threat Prevention layers, $HIL HTTPS Inspection layers. "; echo -e "Total $(expr $ACL + $TPL + $HIL)"


41 Access layers, 8 Threat Prevention layers, 1 HTTPS Inspection layers.
Total 50

0 Kudos
PhoneBoy
Admin
Admin

This shows you the number of layers you've defined across your SMS.
It doesn't tell you how many of those layers are being used in a given policy package (which is where the limit comes into play).
However, this is useful none the less. 

0 Kudos
Alex-
Leader Leader
Leader

You're absolutely right, I stand corrected.

0 Kudos
PhoneBoy
Admin
Admin

We don't provide a mechanism that gives you a direct count of the number of layers in use in a given policy package.

It is possible to programmatically count the number of layers in use via the API.
Start with the policy package in use: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-package~v1.9%20
This will list the top-level policy layers in use for both Access Policy and Threat Prevention.

Most likely it is the Access Policy where you are using a number of layers...and most likely they are inline layers.
These will not be listed directly via show-package, they must be found through parsing the individual rules in the layer, which will have the action "Apply Layer" if an inline-layer is used.
See: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-access-rulebase~v1.9%20 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events