cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
MrSaintz
Nickel

Inline Layer and software blades

Jump to solution

Hi all,

When setting up inline layers to setup for instance mobile access rules (unified mode) application/urlf rules, content, etc should the parent be enabled with all the blades I want to use at the inline layer level?

I think it would make sense, not enable at the parent level, example:

parent allowing lan to internet service http/https assign inline layer "urlf"(here I would only enable access control)

at the "urlf" inline layer specify allowed/blocked categories there (here i would enable urlf sb)

Is this proper, best practice?

Regards,

Carlos

Carlos Santos
Tags (1)
1 Solution

Accepted Solutions

Re: Inline Layer and software blades

Jump to solution

Hi, it's not required. If you didn't enable applications at the parent layer or rule but did that in the inline layer, it will inspect applications (or content awareness etc. for that matter).

So if you plan to move your Application Control ordered layer as an inline layer to your outgoing Firewall rules, you don't have to edit the Firewall layer and start enable blades for that.

11 Replies

Re: Inline Layer and software blades

Jump to solution

Hi, it's not required. If you didn't enable applications at the parent layer or rule but did that in the inline layer, it will inspect applications (or content awareness etc. for that matter).

So if you plan to move your Application Control ordered layer as an inline layer to your outgoing Firewall rules, you don't have to edit the Firewall layer and start enable blades for that.

Vladimir
Pearl

Re: Inline Layer and software blades

Jump to solution

Tomer,

If we have parent layer configured with Firewall blade only and the inline layer with APPC and URLF, can we use "Internet" object in the parent rules or should it only be used in the APPC and URLF layer?

0 Kudos
ED
Silver

Re: Inline Layer and software blades

Jump to solution

The object "Any" in the destination column is bad because of the column-based rule-matching tehnique in R80.10+ firewalls. Therefore it's better to use "Internet" object in the parent rules. 

Vladimir
Pearl

Re: Inline Layer and software blades

Jump to solution

Enis,

The question was not about use of "Any" object, but if "Internet" object from the layer containing APPC & URLF blade could be used in the parent layer that DOES NOT contain APPC & URLF blade.

0 Kudos
Employee+
Employee+

Re: Inline Layer and software blades

Jump to solution

Internet objects are only supported for APCL\URLF layers. 

You can use security zones instead,

Employee+
Employee+

Re: Inline Layer and software blades

Jump to solution

In general it is good practice not to leave columns with any if possible. On APCL\URLF case on most cases applications are actually in the internet, so it is better to use Internet object.

R80.10 rule matching technique is actually not relevant here. Defining internet object (or any other network object) in a rule allows rulebase to filter rules in an earlier stage (e.g: SYN packet) allowing better security and potentially better performance.

e.g:

Src: Any Dst: Any Application: Facebook

Such rule will cause any connection being inspected to determine the application on the connection.

Src: Network_A Dst: Internet Application: Facebook

Such rule will cause only connections originated from Network_A to internet being inspected for application detection. For all other connections this rule will be filtered out on the first packet of the connection (pending other rules, this connection will be further inspected or not).

Vladimir
Pearl

Re: Inline Layer and software blades

Jump to solution

Tal, thank you for concise explanation.

Can you tell me how the user defined applications for Mobile Access are being treated? I.e. do we need to have APCL URLF blade enabled on the layer containing MAB, or are those apps recognized and treated differently?

0 Kudos
MrSaintz
Nickel

Re: Inline Layer and software blades

Jump to solution

Hey Vladimir,

For MAB blade inline layer you don't need to have APP/URLF blade active.

Best regards,

Carlos Santos

Carlos Santos

Re: Inline Layer and software blades

Jump to solution

I think it should be fine. Search for.other threads that we talked about using zone on the rulebase. 

Re: Inline Layer and software blades

Jump to solution
I read / hear what you are saying. But we did this exact same thing. We had the parent layer configured for firewall only and then added an inline layer with both firewall and url/app. What we noticed is that none of the url/app rules worked, we then had to add IP based rules in the inline layer to get our access to work. I spoke with CheckPoint support and was told that we needed to activate the url/app blade in the parent layer / policy. We could not enable this, it was greyed out, because a global policy is assigned. We would have to enable this blade in the global so that it enabled it in the parent layer of the domain. FYI...We are running R80.20 on the MDS and gateways. It would make things a lot easier for us if we could get the inline layer to work without having to enable url/app in the global policy. Is there something else we need to do to get the inline layer url/app blade to work?
0 Kudos
S__B_
Iron

Re: Inline Layer and software blades

Jump to solution

👍

0 Kudos