cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

How are implied rules implemented with a multi-layered policy?

Jump to solution

When an option is selected in the Global Properties / Firewall page, certain rules are created that get merged with each policy installed to any gateway. In case of multi-layered policies, does this merger happen with each layer defined in a policy or is it just to the first ordered layer? for e.g. if "Accept ICMP requests" is selected with "Before Last", will the ICMP rule be inserted only in the first layer of each policy or in each layer.

In case the answer is first layer, then what if the first layer is shared and used as last layer in another policy.

0 Kudos
1 Solution

Accepted Solutions

Re: How are implied rules implemented with a multi-layered policy?

Jump to solution

I got a clarification regarding implied rules. This is the more correct behaviour:

Implied rules are "attached" during install policy, to the relevant context.

The implied rules that are selected to appear "first", are added to the first ordered layer in the policy.

The implied rules that are selected to appear "before last" or "last", are added to all the layers.

Let’s consider examples below:

2 ordered layers:

*Accept icmp defined as ‘before last’

Example 1:

Layer 1:

  1. 1. Any any any drop

Layer 2:

  1. 1. Any any any drop

In above example all icmp connection will be matched on ‘accept icmp’ implied rule.

Example 2:

Layer 1:

  1. 1. Any any any drop

Layer 2:

  1. 1. src=10.0.0.1, Drop
  2. 2. Any any any drop

In above example ICMP packets from 10.0.0.1 will match implied rule on layer 1, but match explicit rule 1 on layer 2.

In addition, every layer has the "implicit cleanup rule" in its properties. For Pre-R80.10 Gateways, in every policy, the first layer must have its implicit cleanup rule set to "drop" and for the second ordered layer the implicit cleanup rule must be set to "accept". Usually, these are the defaults when creating policies and layers, so the admin doesn't have to worry about them, unless it is shown as the reason for his policy installation failure.

0 Kudos
6 Replies

Re: How are implied rules implemented with a multi-layered policy?

Jump to solution

Implied rules are "attached" during install policy, to the relevant context. All the Implied Rules from the global properties go to the first ordered layer in the policy.

In addition, every layer has the "implicit cleanup rule" in its properties. For Pre-R80.10 Gateways, in every policy, the first layer must have its implicit cleanup rule set to "drop" and for the second ordered layer the implicit cleanup rule must be set to "accept". Usually, these are the defaults when creating policies and layers, so the admin doesn't have to worry about them, unless it is shown as the reason for his policy installation failure.

0 Kudos
Highlighted

Re: How are implied rules implemented with a multi-layered policy?

Jump to solution

Thanks Tomer. This means that traffic allowed by implied rules (last or before last) must also be allowed in the all other layers (2 onwards) either by an explicit rule or by implicit cleanup rule with accept action. If any layer, other than first, has an explicit cleanup rule then these implied rules will not be useful.

Also I see that the "First" implied rules work exclusively, i.e. no layer rules are matched if one of the "First" implied rules matches. Is that correct?

0 Kudos

Re: How are implied rules implemented with a multi-layered policy?

Jump to solution

Since the implied rules apply for the first layer in each policy, then if matched, ones that are defined to be "first" will apply before evaluating any other rules from the layers.

0 Kudos

Re: How are implied rules implemented with a multi-layered policy?

Jump to solution

Thats right Tomer, but the difference I see is that if an implied rule defined as last or before last is matched, still rules in the other layers after this are inspected, however this is not the case for implied rules defined as first.

0 Kudos

Re: How are implied rules implemented with a multi-layered policy?

Jump to solution

I have forwarded Kishin's case to R&D. This seems to be a problem for the current version of R80.10 Pre-EA Gateways.

Re: How are implied rules implemented with a multi-layered policy?

Jump to solution

I got a clarification regarding implied rules. This is the more correct behaviour:

Implied rules are "attached" during install policy, to the relevant context.

The implied rules that are selected to appear "first", are added to the first ordered layer in the policy.

The implied rules that are selected to appear "before last" or "last", are added to all the layers.

Let’s consider examples below:

2 ordered layers:

*Accept icmp defined as ‘before last’

Example 1:

Layer 1:

  1. 1. Any any any drop

Layer 2:

  1. 1. Any any any drop

In above example all icmp connection will be matched on ‘accept icmp’ implied rule.

Example 2:

Layer 1:

  1. 1. Any any any drop

Layer 2:

  1. 1. src=10.0.0.1, Drop
  2. 2. Any any any drop

In above example ICMP packets from 10.0.0.1 will match implied rule on layer 1, but match explicit rule 1 on layer 2.

In addition, every layer has the "implicit cleanup rule" in its properties. For Pre-R80.10 Gateways, in every policy, the first layer must have its implicit cleanup rule set to "drop" and for the second ordered layer the implicit cleanup rule must be set to "accept". Usually, these are the defaults when creating policies and layers, so the admin doesn't have to worry about them, unless it is shown as the reason for his policy installation failure.

0 Kudos