This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
antsvett3
Explorer
‎2022-07-20 02:27 PM

Inline Layers Question

Hi Everyone,

We are starting to use inline layers and I'm researching best practices etc. The one thing I can't find is does it matter where to start inline rules when are are starting in an ordered policy and how it affects performance. Any feedback is appreciated.

Thanks,

Anthony

0 Kudos
5 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-07-20 08:54 PM

What might be beneficial for migration from one policy construct to the next in a given environment and what performs most optimally aren't necessarily the same thing. To understand this further it may help to review the policy matching mechanism i.e.

https://community.checkpoint.com/t5/Management/Unified-Policy-Column-based-Rule-Matching/td-p/9888

Also Tomer previously consolidated some good links on Layers here for reference:

https://community.checkpoint.com/t5/Management/Layers-Best-Practices/m-p/21023

 

CCSM R77/R80/ELITE
0 Kudos
Sorin_Gogean
Advisor
‎2022-07-21 11:37 PM

hi,

 

as we went through same exercise few years ago, the way I read/understand  "The one thing I can't find is does it matter where to start inline rules when are are starting in an ordered policy and how it affects performance. " would be 

Is there any problem if my inline layer rule is after some ordered layers ?!!??!!? 

If that is the question, then I can say that you will combine ordered with inline layers, when building your policy .

 

In our case we moved from ~300-400 lines ordered layer to ~250 lines (in total) using inline layers .

 

ty,

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-07-23 01:51 PM

When writing my book I did some limited research about the performance of using solely inline layers with one blade enabled in each (Firewall, APCL/URLF) vs. using a single layer inline that invoked the Firewall blade in the top/parent rules (simple services only), then invoked APCL/URLF in the sub-layers via categories/applications.  For an identical policy goal, the resulting compiled Unified policy for each approach looked extremely similar and I wasn't able to detect any difference in rulebase lookup performance between the two.  So my basic conclusion was that ordered vs. inline is about the same as far as gateway performance especially due to the new Column-based matching, but if anyone from R&D would like to elaborate on this topic that would be great.  @PhoneBoy 

My general philosophy is that if you still have the straight ordered layers (one blade per layer) which is what you end up with after a R77.30->R8X upgrade and they are working well for you, there is no urgent need to spend the time converting it into a fully unified inline policy.  This is especially true in my opinion if the policy is very large.  It doesn't seem to make a difference in gateway performance, but a properly-constructed inline policy can be easier to understand and work with.

However if you are creating a brand new policy package from scratch for a new gateway/site, I'd strongly recommend using fully inline layers from the get-go and possibly security zone objects as well.  This is a piece of cake to do when starting a policy package from scratch, and will be much easier to manage in the long-term as the policy size grows.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
PhoneBoy
Admin
Admin
‎2022-07-24 09:08 AM
In response to Timothy_Hall

Where I think you might see a performance improvement with inline layers is in dealing with services that aren’t SecureXL friendly.
Basically, you can bury them in an inline layer so the rest of the policy will template.

0 Kudos
Alex-
Leader Leader
Leader
‎2022-07-24 11:03 AM
In response to PhoneBoy

Another aspect with ordered layer vs inline layer is that with the former, you need to accept a flow in both Network and Application  layers (or any other combination) which could double your logs for the same traffic if you log everything. With inline layer, logs are matched only once in either a "top level" network rule or the inline one, reducing log traffic.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events