cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Policy and multiple layers behavior

Jump to solution

Hello

could you please guide me understanding how rule base checks are done with different layers?

for example i have one policy with 3 layers, 2 layers are shared. when the incoming connection comes will this mean it will first for thru first layer then second and third then get dropped or the first drop rule hit? 

thank you

ismar

0 Kudos
1 Solution

Accepted Solutions

Re: Policy and multiple layers behavior

Jump to solution

see this guide for clarity Layers in R80

0 Kudos
7 Replies

Re: Policy and multiple layers behavior

Jump to solution

see this guide for clarity Layers in R80

0 Kudos

Re: Policy and multiple layers behavior

Jump to solution

thank you great help

could you direct me to more detail explanation when defining Ordered layers?

do we only need clean up rule in last layer?

thank you

0 Kudos

Re: Policy and multiple layers behavior

Jump to solution

Please see the following guides for:

Regarding cleanup rules:

You don't have to define clean up rules explicitly. Each layer has an implicit cleanup rule - either any any accept, or any any drop.

In R7x SmartDashboard we had this generalized - implicit any any drop for the Firewall policy and implicit any any accept for the Application Control policy.

You can control the implicit cleanup rule when you edit a layer and go the the "Advanced" page:

implicit-cleanup.png

Although it's usually a good best practice to create that cleanup rule explicitly on the rulebase.

0 Kudos

Re: Policy and multiple layers behavior

Jump to solution

And last thing from my on this topic, is it possibly to have 2 Firewall layers in one Policy?

0 Kudos

Re: Policy and multiple layers behavior

Jump to solution

Only for R80.10 GW's and above. Having more than 1 ordered layer for Firewall for pre-R80 GW's will fail policy installation.

Let me know if you have other questions for layers in R80. Other than the discussions that I've linked so far, you can also check the admin guide for general recommendations.

0 Kudos

Re: Policy and multiple layers behavior

Jump to solution

Is this also same for Inline Layer?

When will R80 be available for GW's?

0 Kudos

Re: Policy and multiple layers behavior

Jump to solution

Yes, inline layers have the same editor, and they have the same settings for the implicit cleanup rule.

Using inline layers requires an R80.10 GW, but because R80.10 will be a minor release, the Security Management server and SmartConsole applications are already prepared for designing this type of policies.

For R80.10 release date it is best to follow the Check Point Release Plan.

0 Kudos