This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AigarsK
Participant
‎2021-05-26 06:56 AM

R80.40 - Policy Layers change

Hi All,

Apologies in case this comms as general knowledge to some.

 

I have Checkpoint R80.40 implemented where it has one policy, and this policy under Access Control has separated layers. One layer called Network with Firewall blade selected and one layer called Application with Applications & URL Filtering blade selected.

This leaves me with two policy section to manage.

I do see that there is nothing preventing me to update first Layer to include Applications & URL Filtering blade.

What I am not clear is what would be the consideration to be taken if I do this.

Would I be required to go about replicating existing Applications & URL Filtering policy after I enable the blade and publish/install the policy on gateways? Or will it still operate in layers as long first one explicitly does not deny something allowed in second layer?

I am looking at doing consolidation of both blades and minimise policies to manage.

 

Many Thanks in advance!

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2021-05-26 08:29 AM

Two things:

  • If you are pushing this policy to any Pre-R80 gateways then you need to maintain the two layers as is (FW only in first layer, App Control in second layer)
  • If these layers are only used on R80+ gateways, then you can theoretically merge these layers together.
  • The main consideration in either case is to make sure that both layers accept the traffic you wish to pass. By matching a drop rule in either layer, traffic will not pass.

 

AigarsK
Participant
‎2021-05-26 08:35 AM
In response to PhoneBoy

Thanks PhoneBoy,

My deployment does not contain any Pre-R80.

I will look at updating layers and duplicating rules from Applications layer.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events