Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Harald_Hansen
Advisor
Advisor

Nested layers

I've been working with R80.10 MDS rule bases for a while. Today I was testing out the new ordered layer rule base in SmartCenter R80.10 and tried to implement something close to "global rules". My expectations were that the firewall would evaluate one layer after the other, also nested, in stead it is evaluating the policy in ordered parallell. 

Will Check Point support nested layers in the future? I think this is the way most engineers would expect the ordered layer should actually work.

8 Replies
PhoneBoy
Admin
Admin

Can you provide a concrete example of what you're trying to accomplish that you don't believe the current model supports?

0 Kudos
Harald_Hansen
Advisor
Advisor

Just a simple way of converting a MDS ruleset to SmartCenter is not supported. This would be the perfect way of using ordered layers if they were behaving in a way one would expect.

Layer one (Like MDS global ruleset above domain rules):

  • Firewall rules (like stealth rules)
  • Access to domain services etc

Layer two:

  • Local ruleset for this policy

Layer three (Like MDS global ruleset below domain rules):

  • Global access rules
  • Global drop rules
PhoneBoy
Admin
Admin

To get to Layer 2, the packet must hit an Accept rule in Layer 1.

This can be an implicit rule, which can be configured on a per-layer basis.

Or, of course, it can hit an explicit accept rule.

Help me understand why this isn’t a workable solution? 

0 Kudos
Harald_Hansen
Advisor
Advisor

Because if you have a drop rule in the last policy the packet won't be accepted, even if it is accepted in a previous policy.

0 Kudos
PhoneBoy
Admin
Admin

Yes, this is now it currently works: a packet must hit an accept rule in ALL ordered layers.

In the case of MDS Global rules, they are basically joined to the local ruleset, so it’s evaluated as one ruleset, not three.

0 Kudos
Harald_Hansen
Advisor
Advisor

Exactly. This is why we need nested layers.

As it is I cannot use ordered layers to create smart and useful policies. I can understand why the design is as is, though  in the real world we need it the other way.

 

To me, both inline and ordered layers have significant limitations that reduce the usability of either. I cry at the wasted opportunity.

0 Kudos
PhoneBoy
Admin
Admin

It seems to me you could achieve the desired result with Layer 3 in your example above by using an inline layer to represent it in Layer 2.

Specifically the last rule would have Source Any Destination Any as the last rule with action of Layer 3.

This would eliminate the problem of “must match an accept rule in Layer 3” as that layer would be entirely skipped If it matches any other rule in Layer 2.

Maybe less elegant than you’re thinking, but seems like it should achieve the desired result.

Harald_Hansen
Advisor
Advisor

Yes, that's a good idea. I have experimented a bit with this regarding the stealth rules, but didn't think of using it for the entire policy.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events