This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
D_TK
Advisor
‎2020-08-03 04:31 PM

R80.40 - ordered layers

Hi everyone.  Trying to get my head around ordered layers.  Read the admin guide, but there really isn't too much around this subject.  Currently have 9 gateways and all currently have two access control policies:  a non-shared firewall policy, and a shared app/url policy.

The overwhelming majority of firewall rules are replicated over and over in the non-shared firewall policy at each location, i want to simplify by creating one shared firewall polices for everything not unique to the site.  So the access-control order at every location would be:

1) non shared unique-local firewall policy - implicit accept cleanup

2) shared firewall policy - implicit drop cleanup

3) shared app/url

This leads me to a few questions:

1) I think this one is obvious - if the connection doesn't match any rule in policy 1, it goes directly to rule 1 in policy 2?

2) if a connection is matched in policy 1, does it now go directly to rule 1 in policy 3?

 

So in this scenario, are policies 1 and 2, " stacked"?

 

thanks

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2020-08-03 06:04 PM

If you have ordered layers, a connection must match an Accept rule in EACH layer.
And yes, the layers are effectively stacked, or evaluated in-order.

If a connection evaluates to a Drop rule in any layer (either when opened or later because the Application classification changed), the connection will be dropped.
Rules aren't evaluated in order, but using column-based matching.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-08-03 10:10 PM

In this situation I would use the layered approach, you can first allow/disallow the generic services you need for all locations and then create a rule to allow anything from the IP ranges from location A with an inline layer that specifies the outbound details for location A, then you create a outbound rule for the same location and create an inline layer.

You do this for each location and then you can, on top of that have the application control layer inside each location layer that is shared between them.

Now the traffic fill follow the first part of the policy then it will only be going into the layer for a location when it matches the rule for that specific location, if a location rule is matched, it will go into that part of the policy but will not return to the main policy!!

This is also why each layer need it's own drop rule.

Regards, Maarten

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events