Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AigarsK
Participant

R80.40 - Policy Layers change

Hi All,

Apologies in case this comms as general knowledge to some.

 

I have Checkpoint R80.40 implemented where it has one policy, and this policy under Access Control has separated layers. One layer called Network with Firewall blade selected and one layer called Application with Applications & URL Filtering blade selected.

This leaves me with two policy section to manage.

I do see that there is nothing preventing me to update first Layer to include Applications & URL Filtering blade.

What I am not clear is what would be the consideration to be taken if I do this.

Would I be required to go about replicating existing Applications & URL Filtering policy after I enable the blade and publish/install the policy on gateways? Or will it still operate in layers as long first one explicitly does not deny something allowed in second layer?

I am looking at doing consolidation of both blades and minimise policies to manage.

 

Many Thanks in advance!

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Two things:

  • If you are pushing this policy to any Pre-R80 gateways then you need to maintain the two layers as is (FW only in first layer, App Control in second layer)
  • If these layers are only used on R80+ gateways, then you can theoretically merge these layers together.
  • The main consideration in either case is to make sure that both layers accept the traffic you wish to pass. By matching a drop rule in either layer, traffic will not pass.

 

AigarsK
Participant

Thanks PhoneBoy,

My deployment does not contain any Pre-R80.

I will look at updating layers and duplicating rules from Applications layer.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events