Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SamiH
Contributor
Jump to solution

Inline layers and 'Any' access

Just to verify my understanding. 

If I have a inline layer like this

1.1 src:Any dst:MyNet1

  1.2 src:MyNet2 dst:MyNet1 Action:Accept

  1.3 src:Any dst:MyNet Action:Drop (inline clean up)

2.0 src:MyNet3 dst:Any Action:Accept

and the 2.0 rule won't allow mynet3 to reach mynet1? Just thinking how the "Accept internet except internal networks" would work here after all the internal networks have been handled like that. The reason I am using inline layer dst field is this article https://community.checkpoint.com/t5/General-Management-Topics/Unified-Policy-Column-based-Rule-Match... where it says that rule matching begins from dst.

0 Kudos
1 Solution

Accepted Solutions
Maarten_Sjouw
Champion
Champion
Rule 2.0 will not allow access to MyNet1 as first of all rule 1.3 will drop it, otherwise the default Implicit drop will (a setting on the layer).
To allow Internal networks you need them to either skip rule 1.1 by negating the internal network, or be explicit in the layer as you are doing in rule 1.2.
Regards, Maarten

View solution in original post

2 Replies
Maarten_Sjouw
Champion
Champion
Rule 2.0 will not allow access to MyNet1 as first of all rule 1.3 will drop it, otherwise the default Implicit drop will (a setting on the layer).
To allow Internal networks you need them to either skip rule 1.1 by negating the internal network, or be explicit in the layer as you are doing in rule 1.2.
Regards, Maarten
PhoneBoy
Admin
Admin
The column-based matching only applies within a layer, ignoring any inline layers.
If the packet matches a rule with an action of an inline layer, then that inline layer is analyzed for a match.
If no rule in that inline layer matches, the implicit rule (either drop or accept, depending on configuration) applies.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events