Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Simon_Macpherso
Advisor

Application Layer in Unified Policy

Questions re unified policies

Scenario

A new layer is created and Applications & URL Filtering is the ONLY blade selected. The layer is integrated in to an existing access control policy with only the firewall blade enabled. 

1. Are the access and application layers independent in a unified rule base, in so far as the traffic is not analyzed by the access layer first then proceeds to be analyzed by the application layer (as what occurs when adding an application layer as an additional layer to the access control layer) - and vice versa.

2.So assuming the traffic only needs match on either layer to be processed i.e. the first layer the traffic matches on, if I add the application layer near the top of the unified rule base, the parent rule catches the traffic, it drops down in to the layer to be analyzed by the layer sub-rules, it matches on a sub-rule or clean up rule (that has an implicit cleanup action of Accept), the traffic is accepted with no further rule base matching required. 

I notice the Application & URL Filtering blade does not need to be explicitly enabled on the access layer in the policy general properties. You can still add a separate application layer to the policy and it will work. 

Regards,

Simon 

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

If multiple ordered layers are used (regardless of the blades enabled in the different layers), traffic much match an Accept rule in EACH layer to pass.

0 Kudos
Simon_Macpherso
Advisor

The scenario is a single ordered layer with only the firewall blade enabled, with an inline application layer (only application and url filtering blade enabled) integrated. 

0 Kudos
PhoneBoy
Admin
Admin

In that scenario, the App Control layer will only be evaluated if the parent rule (in a Firewall-only layer) is matched.

0 Kudos
the_rock
Legend
Legend

As phoneboy said, every ordered layer has to accept traffic, otherwise, it wont work. So, below is perfect example. Say, if what I pointed out is action drop instead of accept, NOTHING would work at all.

Andy

 

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi...

 

Screenshot_1.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events