This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Harald_Hansen
Advisor
Advisor
‎2018-11-13 06:55 AM

Nested layers

I've been working with R80.10 MDS rule bases for a while. Today I was testing out the new ordered layer rule base in SmartCenter R80.10 and tried to implement something close to "global rules". My expectations were that the firewall would evaluate one layer after the other, also nested, in stead it is evaluating the policy in ordered parallell. 

Will Check Point support nested layers in the future? I think this is the way most engineers would expect the ordered layer should actually work.

8 Replies
PhoneBoy
Admin
Admin
‎2018-11-15 10:09 AM

Can you provide a concrete example of what you're trying to accomplish that you don't believe the current model supports?

0 Kudos
Harald_Hansen
Advisor
Advisor
‎2018-11-15 10:54 AM
In response to PhoneBoy

Just a simple way of converting a MDS ruleset to SmartCenter is not supported. This would be the perfect way of using ordered layers if they were behaving in a way one would expect.

Layer one (Like MDS global ruleset above domain rules):

  • Firewall rules (like stealth rules)
  • Access to domain services etc

Layer two:

  • Local ruleset for this policy

Layer three (Like MDS global ruleset below domain rules):

  • Global access rules
  • Global drop rules
PhoneBoy
Admin
Admin
‎2018-11-15 11:12 AM
In response to Harald_Hansen

To get to Layer 2, the packet must hit an Accept rule in Layer 1.

This can be an implicit rule, which can be configured on a per-layer basis.

Or, of course, it can hit an explicit accept rule.

Help me understand why this isn’t a workable solution? 

0 Kudos
Harald_Hansen
Advisor
Advisor
‎2018-11-15 11:16 AM
In response to PhoneBoy

Because if you have a drop rule in the last policy the packet won't be accepted, even if it is accepted in a previous policy.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-15 11:50 AM
In response to Harald_Hansen

Yes, this is now it currently works: a packet must hit an accept rule in ALL ordered layers.

In the case of MDS Global rules, they are basically joined to the local ruleset, so it’s evaluated as one ruleset, not three.

0 Kudos
Harald_Hansen
Advisor
Advisor
‎2018-11-15 12:22 PM
In response to PhoneBoy

Exactly. This is why we need nested layers.

As it is I cannot use ordered layers to create smart and useful policies. I can understand why the design is as is, though  in the real world we need it the other way.

 

To me, both inline and ordered layers have significant limitations that reduce the usability of either. I cry at the wasted opportunity.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-15 04:43 PM
In response to Harald_Hansen

It seems to me you could achieve the desired result with Layer 3 in your example above by using an inline layer to represent it in Layer 2.

Specifically the last rule would have Source Any Destination Any as the last rule with action of Layer 3.

This would eliminate the problem of “must match an accept rule in Layer 3” as that layer would be entirely skipped If it matches any other rule in Layer 2.

Maybe less elegant than you’re thinking, but seems like it should achieve the desired result.

Harald_Hansen
Advisor
Advisor
‎2018-11-16 12:44 AM
In response to PhoneBoy

Yes, that's a good idea. I have experimented a bit with this regarding the stealth rules, but didn't think of using it for the entire policy.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events