cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Inline Layer in R80.20 after Migration from R77.30

Jump to solution

Hello,

 

after migration from R77.30 to R80.20 i want to use inline layers.

can i do an "soft-migration" and add some inline layers?

can i use ordered and inline-layers at the same time?

 

in maxpower-book i read to not use "any" object. but in R80.20 demo mode, many rules are with any.

so should i avoid any, or is it with inline-layers no problem to use any?

 

 

thanks

daniel

0 Kudos
2 Solutions

Accepted Solutions

Re: Inline Layer in R80.20 after Migration from R77.30

Jump to solution

Hi @Daniel_Hainich 

Yes, you can migrate as is and later convert some of your rules into sub-layers. We have shown an example of such conversion during one of our TechTalks earlier this year: https://community.checkpoint.com/t5/General-Topics/Migrate-to-R80-20-TechTalk/m-p/22862

 

Drill to the slides, specifically slides 66-70 are addressing that.

 

Before @Timothy_Hall can elaborate on your "any" object comment, I have to stress than rulebase order and us of specific objects in the policy has smaller significance with R80.x in comparison to R77.30, because of new rulebase lookup logic.

 

 

Re: Inline Layer in R80.20 after Migration from R77.30

Jump to solution

Avoiding the use of "Any" in the Destination column of rules is to help optimize the new R80.10+ Column-based Matching feature and reduce rulebase lookup overhead in the F2V path.  This recommendation applies for both ordered and inline layers.  Using literally anything other than "Any" will help, such as:

  • A negation of a group object containing all your internal networks to represent the Internet
  • Object "Internet" in APCL/URLF-enabled layers (but make sure firewall topology is completely and correctly defined)
  • Security Zone object
  • Updatable or other Dynamic object

While avoiding "Any" will help in the Destination, Source and Service fields, the Destination column is checked first by Column-based matching thus the recommendation to focus on avoiding "Any" in that column.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
4 Replies

Re: Inline Layer in R80.20 after Migration from R77.30

Jump to solution

Hi @Daniel_Hainich 

Yes, you can migrate as is and later convert some of your rules into sub-layers. We have shown an example of such conversion during one of our TechTalks earlier this year: https://community.checkpoint.com/t5/General-Topics/Migrate-to-R80-20-TechTalk/m-p/22862

 

Drill to the slides, specifically slides 66-70 are addressing that.

 

Before @Timothy_Hall can elaborate on your "any" object comment, I have to stress than rulebase order and us of specific objects in the policy has smaller significance with R80.x in comparison to R77.30, because of new rulebase lookup logic.

 

 

Re: Inline Layer in R80.20 after Migration from R77.30

Jump to solution

Avoiding the use of "Any" in the Destination column of rules is to help optimize the new R80.10+ Column-based Matching feature and reduce rulebase lookup overhead in the F2V path.  This recommendation applies for both ordered and inline layers.  Using literally anything other than "Any" will help, such as:

  • A negation of a group object containing all your internal networks to represent the Internet
  • Object "Internet" in APCL/URLF-enabled layers (but make sure firewall topology is completely and correctly defined)
  • Security Zone object
  • Updatable or other Dynamic object

While avoiding "Any" will help in the Destination, Source and Service fields, the Destination column is checked first by Column-based matching thus the recommendation to focus on avoiding "Any" in that column.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Inline Layer in R80.20 after Migration from R77.30

Jump to solution
hello,
thanks for help.
as i understood - any in source column is not a problem. only any in destination and service column?
0 Kudos

Re: Inline Layer in R80.20 after Migration from R77.30

Jump to solution

"Any" is not a real "problem" as far as functionality or security in any column of a policy layer, for performance optimization purposes though it can be helpful to avoid the use of "Any" primarily in the Destination column.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com