- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Ok, here is my understanding of inline layers and I really doubt in the mean time if this is correct.
I have a number of /29 networks that are part of a /24 and all need access to some specified services.
Each of these /29's has it's own specific access in-line layer with in and outbound cleanup rules.
Now I added a access rule with in-line layer to allow the centralized services of which a part is based on URLs and part on specific IP's.
Now my assumption was, that when you do NOT add a cleanup rule in the /24 in-line layer, the matching will continue thru the rest of the rulebase, thus hitting the specific rules for the /29. Today someone told me that traffic was allowed that should not be allowed, all I can think of is that the message on the /24 in-line layer that says:
"Missing Cleanup-rule - Unmatched traffic will be accepted and not logged"
So the main question here is, is this really true?
Hi Maarten,
If it my understanding that if you match the parent rule - say rule 2, then you will never get beyond the rule checking in the in-line layer below rule 2.
I.e rule 3 and below will never be checked if rule2 parent was matched
The Inline Layer has a parent rule (Rule 2 in the example), and sub rules (Rules 2.1 and 2.2). The Action of the parent rule is the name of the Inline Layer.
If the packet does not match the parent rule of the Inline Layer, the matching continues to the next rule of the Ordered Layer (Rule 3).
If a packet matches the parent rule of the Inline Layer (Rule 2), the Firewall checks it against the sub rules:
Important - Always add an explicit Cleanup Rule at the end of each Inline Layer, and make sure that its Action is the same as the Actionof the Implicit Cleanup Rule.
Does that answer the question?
thanks
Peter
Once a match occurs on the parent rule (rule 6 let's say) and evaluation descends into the sub-rules beneath that parent (6.1-6.X), a match with action will happen in those sub-rules one way or the other and evaluation will not continue past that matched parent's sub-rules. Each layer or set of sub-rules has its own implicit cleanup rule if you don't create one yourself that will be matched.
Once evaluation descends into a set of sub-rules there is no circumstance where evaluation comes back out of the sub-rules and continues past the matched parent rule (i.e. rule 7+). However once evaluating in a set of sub-rules it is possible to branch into yet another layer with its own set of sub-rules (i.e. rules 6.2.X) but one way or the other a match with action will happen at some point somewhere under 6.X(.X) and evaluation is complete.
😕 can be quite annoying if you have lots of layers.
Still, the managament API could save you lots of time in this case
Use the "add access-rule" statement with the "position bottom" argument. the rule is the same for all layers, so you would just need to parse in all the layers via a csv and the batch option.
"show access-layers" should give you the list that you need to specify within the csv 🙂
Hope it helps
Did you redirect the output of the "mgmt_cli login" statement to the correct file name?
If yes and this is a real issue with R80.30, meaning bug related, you can still do it the way that I described.
Once you make an API call, like "add access-rule", and do not specify a session the "mgmt_cli" command will ask you to log in.
As the described way is just one execution of the api its fine like that and also works (you just call it once, with all the required information, meaning the layer names, within a csv).
Hi @Maarten_Sjouw , my name is Amiad Stern and I'm the team leader of the Management APIs.
I would like to understand what worked on R80.10 which doesn't work on R80.30.
Can you please share your script, my mail is amiads@checkpoint.com.
Regards,
Amiad.
Amiad,
Tomorrow morning back in the office I will send it to you.
Simply put it comes down to the Authentication part where after you login with "> id.txt" and on the next line you end with the "-s id.txt" it just comes back with an error, sorry cannot give you the error, but when you check with your colleague A. Chuklov, he has a copy of my MDS running.
I knew I posted it here as well, have a look in this post
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
31 | |
16 | |
5 | |
4 | |
3 | |
3 | |
3 | |
3 | |
2 | |
2 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY