Rule matching questions

May the 4th (+4)
Roadmap Session and Use Cases for
Cloud Security, SASE, and Email Security

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

Paradigm Shifts: Adventures Unleashed!
Capture Your Adventure for a Chance to WIN!

Join the Photo Contest!

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

I have a question on policy matching. From the information on ...

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_SecurityManagement_AdminGuid...

...I understand that :

###
for an inline layer (sub-policy), if a packet matches the parent rule, the sub-policy is applied. Meaning 2 options within that policy :

1) a match is found in the subpolicy --> do the action from that matched sub-rule (drop or accept) -->
"no more rulebase checking is done"
2) no match is found --> action from explicit Cleanup rule is executed, if there's no explicit Cleanup, the implicit Cleanup rule is executed (could also be drop or accept) -->
"no more rulebase checking is done"

###
For inspection to continue to a next ordered layer, the action must be ACCEPT.
If the action is DROP, the firewall doesn't care about possible next ordered layers.

So now the questions :

1) But what if the action from an inline layer's explicit or implicit Cleanup is ACCEPT ? What happens next ? ( when other ordered layer are configured ? ) Does inspection of lower ordered layers still happen ?

2) If you decide to use ordered layers, you better define an explicit or implicit Cleanup rule with Accept ( if not none of your next ordered layers will ever be checked ), right ?

Thanks.