This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ismar_Efendic
Participant
‎2016-07-25 04:52 AM
Jump to solution

Policy and multiple layers behavior

Hello

could you please guide me understanding how rule base checks are done with different layers?

for example i have one policy with 3 layers, 2 layers are shared. when the incoming connection comes will this mean it will first for thru first layer then second and third then get dropped or the first drop rule hit? 

thank you

ismar

0 Kudos
1 Solution

Accepted Solutions
7 Replies
Tomer_Sole
Mentor
Mentor
‎2016-07-25 04:56 AM
Jump to solution

see this guide for clarity Layers in R80

0 Kudos
Ismar_Efendic
Participant
‎2016-07-25 05:19 AM
In response to Tomer_Sole
Jump to solution

thank you great help

could you direct me to more detail explanation when defining Ordered layers?

do we only need clean up rule in last layer?

thank you

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2016-07-25 06:00 AM
In response to Ismar_Efendic
Jump to solution

Please see the following guides for:

Regarding cleanup rules:

You don't have to define clean up rules explicitly. Each layer has an implicit cleanup rule - either any any accept, or any any drop.

In R7x SmartDashboard we had this generalized - implicit any any drop for the Firewall policy and implicit any any accept for the Application Control policy.

You can control the implicit cleanup rule when you edit a layer and go the the "Advanced" page:

implicit-cleanup.png

Although it's usually a good best practice to create that cleanup rule explicitly on the rulebase.

0 Kudos
Ismar_Efendic
Participant
‎2016-07-25 06:20 AM
In response to Tomer_Sole
Jump to solution

And last thing from my on this topic, is it possibly to have 2 Firewall layers in one Policy?

Tomer_Sole
Mentor
Mentor
‎2016-07-25 06:33 AM
In response to Ismar_Efendic
Jump to solution

Only for R80.10 GW's and above. Having more than 1 ordered layer for Firewall for pre-R80 GW's will fail policy installation.

Let me know if you have other questions for layers in R80. Other than the discussions that I've linked so far, you can also check the admin guide for general recommendations.

0 Kudos
Ismar_Efendic
Participant
‎2016-07-25 06:37 AM
In response to Tomer_Sole
Jump to solution

Is this also same for Inline Layer?

When will R80 be available for GW's?

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2016-07-25 06:45 AM
In response to Ismar_Efendic
Jump to solution

Yes, inline layers have the same editor, and they have the same settings for the implicit cleanup rule.

Using inline layers requires an R80.10 GW, but because R80.10 will be a minor release, the Security Management server and SmartConsole applications are already prepared for designing this type of policies.

For R80.10 release date it is best to follow the Check Point Release Plan.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top