cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Inline layers and 'Any' access

Jump to solution

Just to verify my understanding. 

If I have a inline layer like this

1.1 src:Any dst:MyNet1

  1.2 src:MyNet2 dst:MyNet1 Action:Accept

  1.3 src:Any dst:MyNet Action:Drop (inline clean up)

2.0 src:MyNet3 dst:Any Action:Accept

and the 2.0 rule won't allow mynet3 to reach mynet1? Just thinking how the "Accept internet except internal networks" would work here after all the internal networks have been handled like that. The reason I am using inline layer dst field is this article https://community.checkpoint.com/t5/General-Management-Topics/Unified-Policy-Column-based-Rule-Match... where it says that rule matching begins from dst.

0 Kudos
1 Solution

Accepted Solutions
Highlighted

Re: Inline layers and 'Any' access

Jump to solution
Rule 2.0 will not allow access to MyNet1 as first of all rule 1.3 will drop it, otherwise the default Implicit drop will (a setting on the layer).
To allow Internal networks you need them to either skip rule 1.1 by negating the internal network, or be explicit in the layer as you are doing in rule 1.2.
Regards, Maarten

View solution in original post

2 Replies
Highlighted

Re: Inline layers and 'Any' access

Jump to solution
Rule 2.0 will not allow access to MyNet1 as first of all rule 1.3 will drop it, otherwise the default Implicit drop will (a setting on the layer).
To allow Internal networks you need them to either skip rule 1.1 by negating the internal network, or be explicit in the layer as you are doing in rule 1.2.
Regards, Maarten

View solution in original post

Highlighted
Admin
Admin

Re: Inline layers and 'Any' access

Jump to solution
The column-based matching only applies within a layer, ignoring any inline layers.
If the packet matches a rule with an action of an inline layer, then that inline layer is analyzed for a match.
If no rule in that inline layer matches, the implicit rule (either drop or accept, depending on configuration) applies.