Create a Post
Showing results for 
Search instead for 
Did you mean: 

R80.40 - ordered layers

Hi everyone.  Trying to get my head around ordered layers.  Read the admin guide, but there really isn't too much around this subject.  Currently have 9 gateways and all currently have two access control policies:  a non-shared firewall policy, and a shared app/url policy.

The overwhelming majority of firewall rules are replicated over and over in the non-shared firewall policy at each location, i want to simplify by creating one shared firewall polices for everything not unique to the site.  So the access-control order at every location would be:

1) non shared unique-local firewall policy - implicit accept cleanup

2) shared firewall policy - implicit drop cleanup

3) shared app/url

This leads me to a few questions:

1) I think this one is obvious - if the connection doesn't match any rule in policy 1, it goes directly to rule 1 in policy 2?

2) if a connection is matched in policy 1, does it now go directly to rule 1 in policy 3?


So in this scenario, are policies 1 and 2, " stacked"?




0 Kudos
2 Replies

If you have ordered layers, a connection must match an Accept rule in EACH layer.
And yes, the layers are effectively stacked, or evaluated in-order.

If a connection evaluates to a Drop rule in any layer (either when opened or later because the Application classification changed), the connection will be dropped.
Rules aren't evaluated in order, but using column-based matching.

0 Kudos

In this situation I would use the layered approach, you can first allow/disallow the generic services you need for all locations and then create a rule to allow anything from the IP ranges from location A with an inline layer that specifies the outbound details for location A, then you create a outbound rule for the same location and create an inline layer.

You do this for each location and then you can, on top of that have the application control layer inside each location layer that is shared between them.

Now the traffic fill follow the first part of the policy then it will only be going into the layer for a location when it matches the rule for that specific location, if a location rule is matched, it will go into that part of the policy but will not return to the main policy!!

This is also why each layer need it's own drop rule.

Regards, Maarten