cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Employee+
Employee+

Inline Layers

Jump to solution

I know that inline layers are not supported for pre-R80 gateways, but can I even create them (for testing purposes) in R80 SmartConsole? It seems that only ordered layers are supported now?

1 Solution

Accepted Solutions

Re: Inline Layers

Jump to solution

Please see the topics Layers in R80 and How do I create an Access Policy for Pre-R80 GWs?  for the list of the supported features.

R80 Management has the support for inline layers, however like you said, when using them for a pre-R80.10 GW, install policy will fail.

Setting an inline layer is done by clicking a rule's action and selecting the "Inline Layer" option. You can either select an existing layer (if it's marked as shared) or create a new one.

set-inline-layer.png

The way that inline layers work is the following: When the connection matches a parent rule that its action is an inline layer, the inline layer rules get evaluated.

Every inline layer (and also every layer) has an implicit cleanup rule that is either "any any accept" or "any any drop" set in its properties under "advanced". This means that once you go inside an inline layer, you cannot go outside back to the main layer, therefore rules in the inline layer cannot block rules that reside below the parent rule that holds them. Giving an admin the permission to only edit an inline layer will not affect the main layer that holds it.

To see the list of all layers, open the Manage Layers view from this location:

open-manage-layers.png

0 Kudos
3 Replies

Re: Inline Layers

Jump to solution

Please see the topics Layers in R80 and How do I create an Access Policy for Pre-R80 GWs?  for the list of the supported features.

R80 Management has the support for inline layers, however like you said, when using them for a pre-R80.10 GW, install policy will fail.

Setting an inline layer is done by clicking a rule's action and selecting the "Inline Layer" option. You can either select an existing layer (if it's marked as shared) or create a new one.

set-inline-layer.png

The way that inline layers work is the following: When the connection matches a parent rule that its action is an inline layer, the inline layer rules get evaluated.

Every inline layer (and also every layer) has an implicit cleanup rule that is either "any any accept" or "any any drop" set in its properties under "advanced". This means that once you go inside an inline layer, you cannot go outside back to the main layer, therefore rules in the inline layer cannot block rules that reside below the parent rule that holds them. Giving an admin the permission to only edit an inline layer will not affect the main layer that holds it.

To see the list of all layers, open the Manage Layers view from this location:

open-manage-layers.png

0 Kudos

Re: Inline Layers

Jump to solution

Query: when we add the Target gateway in the InLine layer then we need to explicitly add the same targets in the rules inside? I think we need not as the InLine says for which target the rules are also even if we add any other gateway as the target inside then it will not work (traffic will not match the Inline).

Is my understanding correct?

Thanks

Admin
Admin

Re: Inline Layers

Jump to solution

No, that is not necessary to do.

In fact, it would be redundant to do so and make it difficult to reuse the layer on a different gateway.

0 Kudos