cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Limiting Admin Rights

Jump to solution

Can I give a new admin limited rights to just one rule?

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
Employee
Employee

Re: Limiting Admin Rights

Jump to solution

No, the permission can be defined on an entire Layer and not on a single rule.

You can limit a new admin to edit just specific layers.

The feature is supported for both Inline Layer and Ordered Layer.

0 Kudos
5 Replies
Employee+
Employee+

Re: Limiting Admin Rights

Jump to solution

You can provide an admin access rights to an inline layer in the policy, traffic needs to match the parent rule before reaching the inline layer. An inline layer can contain multiple rules but will only inspect the traffic that matched the parent rule.

0 Kudos
Employee
Employee

Re: Limiting Admin Rights

Jump to solution

No, the permission can be defined on an entire Layer and not on a single rule.

You can limit a new admin to edit just specific layers.

The feature is supported for both Inline Layer and Ordered Layer.

0 Kudos
J_Goh
Iron

Re: Limiting Admin Rights

Jump to solution

I have heard of Inline layer.  What is Ordered Layer?  And can you explain the difference between the two?

0 Kudos
Employee+
Employee+

Re: Limiting Admin Rights

Jump to solution

R80 introduces a new policy concept called Layers to efficiently work with the rule base.

For Access Control Policy Two types of layers for maximum flexibility exists, inline layer and ordered layer. Where layers allow separating the security policy into multiple components. In this way creating better security and manageability. Support concurrent-admin's and segregation of duties, allow organizations to reuse of layer either as inline or ordered in multiple policy's to be more efficient.

  • In Inline Layers only traffic matched/accepted on the parent rule will reach and be inspected by the inside layer rules.
  • In Ordered Layers when an accept rule from the first layer is matched, the gateway goes over the rules in the next layer
    • For backward compatibility with pre-R80 gateway you will use ordered layers to manage the Firewall rule base and Application control rule base, where first layer needs to be Firewall layer and second layer needs to be Application control and URL Filtering layer.

    • During an upgrade from pre-R80 to R80 with gateways using policy packages that are using Firewall and Application control policy's, the existing policy will be separated to ordered Layer with Network Layer – Firewall policy rules as the first layer and  Application Layer – Application control policy rules as the second layer.

Here is an example of traffic matching using

Policy with Inline Layers
Policy with Ordered LayersPolicy mixed with Ordered and Inline Layers

Re: Limiting Admin Rights

Jump to solution

Please refer to Layers in R80  for general questions about the types of layers in R80. I will copy Jim Oqvist​'s post from this thread to there just for the order of things and also because it's so nicely written.

0 Kudos