Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Fischler
Contributor
Contributor
Jump to solution

Multiple Layers with Firewall Rules (Access Control)

I know that in R80.10 you can add multiple Layers in the Access Control Part of the Policy.

My understanding is, that if there is an accept in the first layer, the next Layer is checked and so on.

If I use the implicit accept setting in the all Layers (except the last one) all layers are allways checked.

So only connections that are accepted in all Layers (either implicit or by a explicit rule) are accepted.

But what happens with the well known hiding problem?

  • Will a rule in Layer 1 hide a rule in Layer 2? Will I be able to install the policy if in Layer 1 and Layer to are the same rules?

What about the max number of Layers?

  • Can I use 200 Layers in a Policy (instead of 200 sections in one Layer)
CCSM-E | CCVS
1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor

Hi Daniel,

1. You will be able to install the policy if layer 1 and 2 have the same rules. In general, we recommend to have your first layer as the "overview" of your policy, while the rest of the ordered layers should handle the more specific cases - for example, additional blade inspection, or "generally drop" rules to ensure that cross-segments traffic to sensitive areas is always dropped.

2. You can install hundreds of ordered layers, although this is probably not the most recommended approach, just in terms of ease of management. Since ordered layers consider the rules of each layer for every traffic, I think that for transforming sections into the "rules and exceptions" type of pattern, you might want to consider inline layers.

So while theoretically you are raising some interesting points, they might have better alternative recommendations when implementing these architectures. I would like to hear more about the practical cases (if you prefer in private messages that's also fine).

View solution in original post

3 Replies
Tomer_Sole
Mentor
Mentor

Hi Daniel,

1. You will be able to install the policy if layer 1 and 2 have the same rules. In general, we recommend to have your first layer as the "overview" of your policy, while the rest of the ordered layers should handle the more specific cases - for example, additional blade inspection, or "generally drop" rules to ensure that cross-segments traffic to sensitive areas is always dropped.

2. You can install hundreds of ordered layers, although this is probably not the most recommended approach, just in terms of ease of management. Since ordered layers consider the rules of each layer for every traffic, I think that for transforming sections into the "rules and exceptions" type of pattern, you might want to consider inline layers.

So while theoretically you are raising some interesting points, they might have better alternative recommendations when implementing these architectures. I would like to hear more about the practical cases (if you prefer in private messages that's also fine).

Daniel_Fischler
Contributor
Contributor

There are two practical cases:

  • Migration / Rebuilding the policy: If you want to revise your policy you can make the "old" policy the second layer while the "new" policy is in the first layer. At the end of the first layer you have a accept rule with log as long as your work is in progress. If you have a mistake in the first layer, the "old" rule is still there as a backup. Because the new rules will hide the existing rules it is not possible to have it in the same layer (this case was a problem in pre R80) .
  • One idea to build a rule is "by application". This means you have all rules that handle a specific application close together. If you want to build your policy with all "needed" rules for a specific application (i.e. under one section-title) the chance that one application hides rules of another application is very high. If you are doing in traditionaly (R77 style) you have to merge rules or you have to omit the rule in the later application. The result is, that you cannot have the "correct" rule on the correct place. Doing it in layers instead of sections would solve this problem. But I can see that it not a good idea. All traffic has to go through all layers because the later layers are not more specific that the earlier ones. So I cannot drop traffic in earlier layers.

It would be nice if you have a alternative recommendation for these scenarios. The best solution would be if I could enable the possibility of having hiding rules. So that I can install policies with hiding and only get a warning and not a failing.

CCSM-E | CCVS
0 Kudos
Tomer_Sole
Mentor
Mentor

Hi Daniel,

  • Migration / Rebuilding the policy: If you want to revise your policy you can make the "old" policy the second layer while the "new" policy is in the first layer. At the end of the first layer you have a accept rule with log as long as your work is in progress. If you have a mistake in the first layer, the "old" rule is still there as a backup. Because the new rules will hide the existing rules it is not possible to have it in the same layer (this case was a problem in pre R80) .

This is an interesting approach, but I have a question: since drops are definite drops, and do not proceed to the next ordered layer, how do you organize your new policy in the new first layer, so that if you have mistakes the "old" layer (now the second layer) overcomes? Are you simply setting all of your rules in the first layer as accept?

  • One idea to build a rule is "by application". This means you have all rules that handle a specific application close together. If you want to build your policy with all "needed" rules for a specific application (i.e. under one section-title) the chance that one application hides rules of another application is very high. If you are doing in traditionaly (R77 style) you have to merge rules or you have to omit the rule in the later application. The result is, that you cannot have the "correct" rule on the correct place. Doing it in layers instead of sections would solve this problem. But I can see that it not a good idea. All traffic has to go through all layers because the later layers are not more specific that the earlier ones. So I cannot drop traffic in earlier layers.

My personal recommendation is to consider using inline layers for that, and perhaps restructure your policy so that every parent rule is by application in order to avoid possibility of rule shadowing.

But other people might have different thoughts.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events