Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dale_Lobb
Advisor
Jump to solution

Questions about inline layers for VPN rules

Currently, I have several hundred firewall rules at the top of my network access policy devoted to about 150 VPNs to partner interoperable devices.  I would like to simplify this somewhat by creating one parent rule per VPN peer and an inline layer for the VPN traffic rules.  This would obviously require one inline layer for each of the VPNs and one VPN community for each, as well.  The policy for each VPN would look something like this:

  source dest vpn service action
1  (parent rule) any any vpn community any inline layer
1.1 vpn src1 vpn dst1 ???? svc1 allow
1.2 vpn src2 vpn dst2 ???? svc2 allow
1.3 (inline cleanup) any any any any deny
2. some other access policy rules

 

Questions:

  1. Are there any limits in recent version of CheckPoint Quantum for the number of inline layers?   sk154435no longer mentions a limit.
  2. Are there any limits to the number of VPN communities one can have?
  3. Do I need to put the vpn community in all of the rules of the inline layer?  Note that if I put the vpn community into the inline cleanup rule, it no longer counts as a cleanup rule and I get a message stating that an implicit cleanup is now in force.
  4. If a disable the parent rule, does it implicitly disable the inline layer as well?  Or do I also need to disable the inline layer rules to be safe?  Note that it looks quite strange to have a floating implicit cleanup rule message in the middle of the policy if one disables all the rules of the inline layer along with the parent rule. 
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
  1. The last “limit” I heard for the number of policy layers per policy package was ~250. This isn’t a hard limit, as I believe the main issue was SmartConsole would crash with that many policy layers. However, this was with R80.10 and a lot of improvements have been made since… 
  2. Not aware of a limit to the number of VPN communities one can have. Having said that, R81.20 should improve performance with lots of VPN peers.
  3. If you use the VPN community in your parent rule, it is not necessary to use the VPN community in the inline layer since the inline layer will only apply if the parent rule matches.
  4. If you disable the parent rule, you do not need to disable any of the rules in the inline layer as they will never be reached.

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
  1. The last “limit” I heard for the number of policy layers per policy package was ~250. This isn’t a hard limit, as I believe the main issue was SmartConsole would crash with that many policy layers. However, this was with R80.10 and a lot of improvements have been made since… 
  2. Not aware of a limit to the number of VPN communities one can have. Having said that, R81.20 should improve performance with lots of VPN peers.
  3. If you use the VPN community in your parent rule, it is not necessary to use the VPN community in the inline layer since the inline layer will only apply if the parent rule matches.
  4. If you disable the parent rule, you do not need to disable any of the rules in the inline layer as they will never be reached.
0 Kudos
Dale_Lobb
Advisor

Thanks, Damian!

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events