cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Layers in R80

I would like to clarify the use of layers in R80 Management Server and SmartConsole.

A layer is a set of rules, or a rule-base. R80 organizes the policy with ordered layers. For example, Gateways that have the Firewall and Application control blades enabled, will have their policies split into two ordered layers: Network and Applications. Another example is Gateways that have the IPS and Threat Emulation blades enabled, will have their policies split into two ordered layers: IPS and Threat Prevention. For Pre-R80 Gateways, this basically means the same enforcement as it always was, only in a different representation in the Security Management.

Ordered layers are enforced this way: When the Gateway matches a rule in a layer, it starts to evaluate the rules in the next layer.

The layers concept opens more options for policy management:

  • Setting different view and edit permissions per layer for different administrator roles.
  • Re-using a layer in different places: The same application control layer in different policy packages ( Sharing a layer across different policies  ), or the same inline layer for different scopes.
  • Explaining global and local policies in Multi-Domain with the same feature set of layers: A domain layer will be the set of rules that are added in each domain by the domain administrator.

R80.10 Gateways and above will have the ability to utilize layers in new ways:

Message was edited by: Tomer Sole

17 Replies

Re: Layers in R80

Quote from Jim Oqvist​:

R80 introduces a new policy concept called Layers to efficiently work with the rule base.

For Access Control Policy Two types of layers for maximum flexibility exists, inline layer and ordered layer. Where layers allow separating the security policy into multiple components. In this way creating better security and manageability. Support concurrent-admin's and segregation of duties, allow organizations to reuse of layer either as inline or ordered in multiple policy's to be more efficient.

  • In Inline Layers only traffic matched/accepted on the parent rule will reach and be inspected by the inside layer rules.
  • In Ordered Layers when an accept rule from the first layer is matched, the gateway goes over the rules in the next layer
    • For backward compatibility with pre-R80 gateway you will use ordered layers to manage the Firewall rule base and Application control rule base, where first layer needs to be Firewall layer and second layer needs to be Application control and URL Filtering layer.
    • During an upgrade from pre-R80 to R80 with gateways using policy packages that are using Firewall and Application control policy's, the existing policy will be separated to ordered Layer with Network Layer – Firewall policy rules as the first layer and  Application Layer – Application control policy rules as the second layer.

Here is an example of traffic matching using

Policy with Inline Layers
Policy with Ordered LayersPolicy mixed with Ordered and Inline Layers
Employee
Employee

Re: Layers in R80

Very clear thnx !

0 Kudos
Ed_Munoz
Iron

Re: Layers in R80

Hi Tom,

Thanks for sharing, great summary. Few questions if you're ok

I wonder whether there is any kind of "layer priorities", for instance the inline layers case, what's the rule processing if there are contradictions between the layer rules?

Is there any best practices for R80 Rulebase Construction and Optimization similar to sk102812

What's the implication in the gateway side with other features such as SecureXL

Thanks

Regards

0 Kudos
Employee+
Employee+

Re: Layers in R80

Hi

Not sure I follow the question regarding “layer priorities” (for the priorities example – per layer the verification of rules is the same as in previous versions).

Regarding best practices, per layer sk102812 still applies.

However, the ability to use layers instead of sections exist.

The R80.10 admin guide should supply use cases and best practices.

Thanks,

Tal

Re: Layers in R80

Hello,

I have a question:

How many policy layers the Access Control Policy supports?

Thanks.

0 Kudos

Re: Layers in R80

See my reply from the Layer Design Patterns posts (which I should really add more to.. ) 

https://community.checkpoint.com/message/7100-layer-design-patterns-1-inspect-additional-content 

Enforcement with ordered layers is executed on the gateway in a way that does not add a performance impact with every new layer.

It is more likely that a large number of ordered layers will be harder to manage by the admin, before any performance impact will kick in (imagine that "Tree" of Access Control Policy composed of over 10 ordered layers.. Maybe not the best visibility).

Highlighted

Re: Layers in R80

Hi Tomer,

I have an R80.20 policy this is being applied to 2 gateways. It has the typical: Access Control - > Policy and NAT.  I want to add a shared 'Ordered Layer' called Mgt_Monitor) to it (and other policies) that have common rules for Network Management devices. When I have tested adding this, it changes the layout shows up as "Network" and Mgt_Monitor. So both layers are now there. This thread does not really address how to 'network type' layers will be processed by the firewall, and what happens with the clean up rules that are in existence.

The end goal of what I'm after is being able to do a similar effect as the Global Policy in a MDS/CMA except this is a CMA and I want to be able to share the ordered layer among the various policies in the CMA.

A clearer understanding or example of using multiple 'network' type layers and how they interact would be very helpful.  I have opened an SR but don't have answer from that yet, but thought you might have a better handle on how this was designed to operate.

Thank you,

PG

0 Kudos
DIEHARD
Ivory

Re: Layers in R80

To add to this question more.....

This use case is a layer of rules that would be applied to many firewalls to provide access for devices behind them to central management systems.

I can not think up anything I can match on that does not cause other existing rules in the individual firewalls policies to break due the the layer cleanup drop.

In a layered policy the cleanup rule basically only being matched to Allow or Drop. There is no possibility of say.. the option to simply exit the layer and continuing down the rules of a parent layer for a match? That would be an awesome option to have! 😉

If there is some way to currently do this using policy layers I would love to know.

0 Kudos
Admin
Admin

Re: Layers in R80

I'm not aware of a specific limit in this area.

That said, I struggle to see a use case where you'd need more than a few.

Can you articulate the use case you're thinking of?

Re: Layers in R80

It's a question from CCSA exam study guide

r80-system-administrator-study-guide.pdf

BR

Martin

0 Kudos

Re: Layers in R80

As someone who teaches the CCSA class I think I can provide some insight here.

In the CCSA R80 class, there was a question like this and the answer was "up to two" ordered layers.  At the time only R77.30 gateways were available and this was correct, due to gateway limitations you could not have more than two Access Control Policy ordered layers (Network & APCL/URLF).

However in the CCSA R80.10 courseware, the answer was changed to "one or more ordered layers" due to the availability of R80.10 gateways.  With R80.10 gateway there could now be more than two ordered layers in the Access Control Policy.  However for an R77.30 gateway managed with R80+, the answer is still "up to two" ordered layers. 

The question needs to be clarified with context as to the gateway version, so I'm mentioning certification manager Jason Tugwell in the hope that he'll see this thread.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Layers in R80

Thank you for your effort Tim.

Your book is awesome.I have a hard copy.

BR 

Martin

Employee+
Employee+

Re: Layers in R80

@TIm Hall @Martin Raska, 

The explanation Tim provided was spot on!  

While I am not the authority on the subject, the exam content is based on the course ware and after consulting with that team the context of the question is based on the R80.10 gateway.  

Regards,

Tug

Certification FAQ

Re: Layers in R80

HI all,

will it be possible to layer SSL Inspection Policy in the future, too ? 

We have a use case where our First Level Support should be able to create SSL Bypass Rules. 

Thanks!

Alex

Re: Layers in R80

Hi,

We plan to improve the user experience of HTTPS Inspection and we will update once we have information that we can share.

Employee+
Employee+

Re: Layers in R80

Hi Stadt,

In practice you can think of SSL Inspection policy as a different layer.

And in the future it will also remain as a separate fixed layer.

Can you elaborate on your use case?

Thanks,

Tal

Re: Layers in R80

Thank you for your posts, Tomer! Very clear and very helfpul.

Cheers,

Nick