cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Best practice using layer R80.10

Hi

I'm running a R80.10 eval management server where I have imported my 77.30 database, to train myself a bit before upgrading to r80.10, I currently have 16 firewalls around the world (including Azure and AWS) and one policy package with every thing.

I'm planing to have a Policy/tab for each firewall and because there are common rules that has to be on all firewalls, I will like to use layers.

I'm struggling a bit to get my head around do's and dont's using layer in R80.10.

If I have tree layers in my policy 1, 2 and 3, layer 1 and 2 shall have a cleanup rule that accept all and layer 3 should have a clean up rule that drops all, the packets will start with layer 1, if no match it will go to layer 2, if no match it will go to layer 3, if no match dropped by the clean up rule, is this correct?

Normally if you have a any, any rule with accept it will be a hit and stop processing any more rules.

If I use Search in packet mode I only see match in layer 1 where the clean up rule is the last match.

Have I misunderstood something?

Is there any best practice for using layers?

Rgds

 Knud Mortensen

11 Replies
Admin
Admin

Re: Best practice using layer R80.10

I recommend reading through the Layers in R80‌ for some additional background.

Keep in mind with ordered layers, the packet must hit an "accept" rule to go to the next ordered layer.

So if a packet matches a "drop" action in layer 1 (such as a cleanup rule), it will never see the other layers.

Where ordered layers are required is when managing pre-R80 gateways.

This is because the Firewall (Access Control) rulebase must be matched before going to the App Control/URL Filtering rulebase (effectively a layer).

Once your gateways are R80.10 and above, I personally think a better approach is to use Inline Layers.

I'll show an example from my lab gateway:

You'll notice that the action column isn't the traditional Accept/Drop, but a layer called Bogons, Outbound, and InboundLayer. Each one of these is an independent rulebase that I could actually reuse elsewhere if I desire.

Re: Best practice using layer R80.10

a series of articles will be posted soon! 

Re: Best practice using layer R80.10

Please follow articles posted under this tag: layers-best-practices 

0 Kudos

Re: Best practice using layer R80.10

Tomer, it would be a good advice if community had an interface to do so. I personally cannot find any way to do so

0 Kudos

Re: Best practice using layer R80.10

I didn't think of that part all the way through Smiley Happy  we will check how the CheckMates interface can help us with that. https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc

0 Kudos
Admin
Admin

Re: Best practice using layer R80.10

RSS feed, which I know https://community.checkpoint.com/people/valerdd022dbd-e3ef-33cc-ac9c-4ac6f9e1743d‌ knows how to use Smiley Happy

https://community.checkpoint.com/view-browse-feed.jspa?browseSite=content&browseViewID=content&userI... 

That gets a few more things than the tag (it's a general search term).

That said https://community.checkpoint.com/content will give you all the content on the site.

0 Kudos

Re: Best practice using layer R80.10

Oh, come on, https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc, add searching by tag feature. You do not suppose people to start fiddling with RSS just to find a particular tag, right? 

0 Kudos
Admin
Admin

Re: Best practice using layer R80.10

Better to browse using this link: https://community.checkpoint.com/tags/#/?tags=layers-best-practices 

You can see the most commonly use tags (and browse related content) here: https://community.checkpoint.com/tags

I was thinking you were looking for notifications https://community.checkpoint.com/people/valerdd022dbd-e3ef-33cc-ac9c-4ac6f9e1743d‌ thus why I suggested an RSS link.

That's what happens when I post when my caffeine levels are inadequate Smiley Happy

0 Kudos

Re: Best practice using layer R80.10

Thanks for the link. My point was, please make it a shortcut in the menu bar for easier navigation.

Admin
Admin

Re: Best practice using layer R80.10

I'm still trying to build a lot of the stuff like that Smiley Happy
Thanks for the suggestion. 

0 Kudos
Admin
Admin

Re: Best practice using layer R80.10

I now have a whole section for it.

When https://community.checkpoint.com/people/tomera5b2e7f3-09aa-32f8-96c2-f0f5bfa2988b‌ (or anyone else) tags a discussion/doc/whatever with layers-best-practices it will show on the right sidebar.

0 Kudos