thanks Tomer, but i still confused... if you look to my image, why the policy in network didn't make any effect? Why the inspection move to the next layer application control and only the same rule there works? 

Accept on the first ordered layer means that processing will happen on the next ordered layer. So you need to make sure your traffic is accepted in the layer chain.

Drop on any layer means to immediately drop the traffic.

Hi,

The reason is your Drop rule in Application layer. When you get a hit in Network layer it jumps to Application layer. If it doesn't find a rule there that match it will hit the Drop rule in Application layer. 

Scenario 1: You have rules active both in Network and Application layer.

You get a hit on the rule in Network rule so it jumps to Application layer. You get also a hit in Application layer so it's accepted and everything is fine. 

Scenario 2: Just a rule in Network layer. 

You get a hit on the rule in Network rule so it jumps to Application layer. You don't get hit on any rules there so it hits the last rule which is Drop. Packet is dropped and it stop there. 

Scenario 3: Just a rule in Application layer. 

No rule is matched in Network layer so it hits the last rule in your Network layer which is Drop. Packet is dropped and it stop there.

How to avoid the duplicate rules? Two options

1. On your application layer change the last rule from Drop to Allow for any-any. This means that you will now be have to make sure to have first all the Drop rules for Application layer before they hit the last Allow rule. Then you don't have to have duplicate rules in Application layer.

2. Combine your Network layer and Application in just 1 layer. Right-click on your Network layer

Select Edit policy > + sign. Add Application layer so you get something like this. Now you can use categories in your Network layer. 

Move all the rules from your Application layer into Network layer. If you still keep the Application layer it will still hit the Drop rule in Application layer. 

Best answer! now it's clear! The checkpoint has time that is very stupid! In my understanding of security, if the rule is found, it stops inspecting the rest of the rules. It's totally stupid, it read on the network layer, and then go on the application, if the rule was found previously. What I did, was remove the applicative layer, and enable it, inside the network layer.

It does not make any sense, repeat rules, the separate application control for me serves to organize what is url, application etc .. than it would be network rules!

De: Enis Dunic <donotreply@checkpoint.com>

Enviada em: quarta-feira, 20 de junho de 2018 13:43

Para: Alexandre Cipriano <alexandre@datagroupit.com>

Assunto: Re: - Re: Network Layer x Application control Layer problem

CheckMates <https://community.checkpoint.com/?et=watches.email.thread>

Re: Network Layer x Application control Layer problem

reply from Enis Dunic<https://community.checkpoint.com/people/edc0528ed5-e09e-4fad-a9e3-ae4e1a145c41?et=watches.email.thread> in Policy Management - View the full discussion<https://community.checkpoint.com/message/21692-re-network-layer-x-application-control-layer-problem?commentID=21692&et=watches.email.thread#comment-21692>

The different layers (inline versus ordered) allow many different types of policy management schemes.

They also allow the management of pre-R80 gateways which do not support unified policies.

More specifically, pre-R80 gateways require different policies (layers) for some blades.

For traffic to pass through, an accept rule must be matched in all layers.

If your gateways are all R80.10, then you can use a single policy layer with all blades active, or even use inline layers.