Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Markus_Marquard
Contributor

Using inline layers together with zone pairs

One of the things which were very different from other vendor's firewall when we changed to Checkpoint was the absence of interface(s) in the firewall policy.

 

Now as Checkpoint introduced network zones and also inline-layers in the policy, isn't it possible to use some kind of template to have similar behavior? Here an example how it could look like for three zone pairs (internal->internet, internal->dmz-public, internal->dmz-private), without actual rules, but I think you get the point:

 

 

Then you would add the specific rules in the inline-layers. I see many advantages using this kind of template:

  • If you make an error in a rule, only the inline-sublayer (so traffic between those specific zones) will be affected, not the complete firewall
  • The firewall engine don't has to check unnecessary rules if zone doesn't match
  • Delegate policy administration for a specific zone pair
  • etc.

 

Is there any reason against doing like this from Checkpoint architecture point of view?

2 Replies
Tomer_Sole
Mentor
Mentor

Yes, this is a valid use-case for Inline Layers. It is supported.

I want to point out 2 things:

1. In case you have 2 interfaces from 2 different gateways that are linked to the same Security Zone, you still need to create a rule from and to the same zone to allow that traffic.

2. With Check Point you don't have to use Gateway Interface objects (aka Security Zones) to create Network Segmentation with Inline Layers. You can use any network object that you like. So while security zone parent rules for inline layers works completely, you don't have to create another gateway interface every time you want to place traffic to a separate inline layer. You can just use the object that represents the network. 

0 Kudos
Robert_Decker
Advisor

This is exactly the approach implemented by our SmartMove tool, when migrating Juniper SRX and Cisco ASA policies into Check Point R80.10 Management.

Robert.

Upcoming Events

    CheckMates Events