Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin
Jump to solution

Layered policies and pre-R80 gateways

Given that a lot of the functionality that layers provides won't actually be available until R80 Gateway is released, I'm trying to understand what benefits someone might achieve by using layered policies before R80 Gateway becomes available, if they even can.

I understand some of the R7x functionality today (e.g. IPS, Threat Prevention, App Control/URL Filtering) will map to fixed layers in the new policy-layers that can be changed once R80 gateway becomes available.

Can anyone explain to me at a high level how this works?

1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor

Please find the list of functionality that is given for Pre-R80 and R80.10 Gateways in the thread Layers in R80 . There are new benefits for all Gateway versions with layers, such as permissions per layer, and sharing of the same layer across multiple policies. The linked topic also explains how layers work in both Access Control and Threat Prevention worlds.

View solution in original post

5 Replies
Tomer_Sole
Mentor
Mentor

Please find the list of functionality that is given for Pre-R80 and R80.10 Gateways in the thread Layers in R80 . There are new benefits for all Gateway versions with layers, such as permissions per layer, and sharing of the same layer across multiple policies. The linked topic also explains how layers work in both Access Control and Threat Prevention worlds.

PhoneBoy
Admin
Admin
Read that post after I posted this.

That definitely helped. 

Assuming all blades, can you explain what order the different layers are evaluated in?

Tomer_Sole
Mentor
Mentor

For Access Control, Ordered layers are enforced this way: When the Gateway matches a rule in a layer, it starts to evaluate the rules in the next layer.

For Threat Prevention, the different layers are evaluated on top of each other: Threat Prevention completes IPS in the same scopes. If there are contradicting rules in the different layers (functionality available for R80.10 Gateways and above), earliest layers take precedence.

PhoneBoy
Admin
Admin

That doesn't answer my question.

I'm asking specifically about the individual layers (i.e. what do we call them) and the exact order they are evaluated in (assuming I match an "allow" in each one).

Tomer_Sole
Mentor
Mentor

Supposed that we have the 3 ordered layers as configured in the images below.

If a user inside Network51 attempts to access the IIS_Host through a gambling site in HTTPS, this is what the Gateway will evaluate:

- first, it will evaluate the rules in layer 1 "Network" and find an accept match at rule 3.

- then, because this is an "accept" match, it will evaluate the rules in layer 2 "Applications". It will match at the drop rule 1. Because this is a "drop" rule, the next ordered layers will not be evaluated at all and the connection will be dropped.

Hope this helps

network.png  applications.png  security-zones.png

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events