Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
handiansudianto
Advisor
Jump to solution

Rules Order

Hello,

We have network policy layer and application policy layer. The network policy have higher preference than application policy.

With this scenario i want to know :

  • If there any incoming traffic matched one of rule set in the network rule, will application policy applied?
  • How can application policy applied, because the application policy have secondary preference and on the bottom of network rule the is implicit deny? In my mind because in network policy have implicit denied so the application policy will not applied.
0 Kudos
1 Solution

Accepted Solutions
emmap
Employee
Employee

Add a rule in the Application policy below the one that allows Youtube that drops everything else. 

Also limit the services in the Network layer to only the relevant ports (presumably 80 and 443 for Youtube). 

View solution in original post

0 Kudos
30 Replies
_Val_
Admin
Admin

If you use network policy and application policy as SEPARATE layers, than yes, application policy will be applied to a specific connection only once the is a matching accept rule in the network policy is found, as shown in the picture:

Screenshot 2024-08-20 at 10.23.17.png

However, applications can be used as part of the network security policy, with or without inline layers, then the final rulebase match should include applications control. 

handiansudianto
Advisor

Hello,

So when no match network rule for the traffic, this mean the application rule will not applied?

0 Kudos
_Val_
Admin
Admin

To repeat myself, if you are using these two policies as separate layers, yes. In a general sense, not necessarily.

0 Kudos
PhoneBoy
Admin
Admin

For traffic to pass the gateway, it must match an Accept rule in both the Network and Application layer.
This is how Ordered Layers work.

0 Kudos
handiansudianto
Advisor

Hi, What happen if example host 10.10.10.10 is permitted to the internet by network layer, but we don't have any rule in the application layer?

You say 'it must match an Accept rule in both the Network and Application layer', with above scenario host 10.10.10.10 is not able to reach to the internet due implicit deny on application rule even permitted on network layer?

0 Kudos
emmap
Employee
Employee

When a packet doesn't match a rule in a layer, the default action is performed. Assuming this is a policy that was updated from R77 days, the Application layer will have a default 'accept no log' action. This can be set when editing a policy layer. 

The reason for the 'accept no log' default is that the Application layer is a legacy concept from R77 days when we had the Firewall policy and the App Control/URL Filtering layer as separate entities. We didn't want to make people configure access twice, so the application layer only does anything if you specifically put a rule in it to match some traffic, else it just lets it through as it must already have been accepted on the Network layer to get that far. 

0 Kudos
handiansudianto
Advisor

Hi..

I just realized default action on application rule is accept and not drop. 

Ok, application rule will work if there any match traffic from network rule?

0 Kudos
emmap
Employee
Employee

If the connection matches an Accept on the Network layer and nothing on the Application layer, it will pass through the gateway.

0 Kudos
handiansudianto
Advisor

If i have below rule, what do you think?

Host 10.10.10.10 able to any address on internet, or only can access to youtube?

  • Network Layer :
    • source : 10.10.10.10
    • Destination : any
    • Action : accept
  • Application Layer :
    • source : 10.10.10.10
    • destination : any
    • service & application : youtube
    • action : accept
0 Kudos
emmap
Employee
Employee

They can get anywhere. The Youtube traffic will be inspected by Application control and anything else will match the default action for Application layer.

0 Kudos
handiansudianto
Advisor

So, can you know how to make an rule to allowing host 10.10.10.10 only to youtube?

0 Kudos
emmap
Employee
Employee

Add a rule in the Application policy below the one that allows Youtube that drops everything else. 

Also limit the services in the Network layer to only the relevant ports (presumably 80 and 443 for Youtube). 

0 Kudos
handiansudianto
Advisor

Hi..

 

  • Network Layer :
    • source : 10.10.10.10
    • Destination : any
    • Action : accept
    • service : http, https
  • Application Layer :
    • source : 10.10.10.10
    • destination : any
    • service & application : youtube
    • action : accept

It's the rule what you mean? I believe with this rule the host 10.10.10.10 can access to anywhere since the destination on network layer set to any. Am i right?

0 Kudos
emmap
Employee
Employee

Yes, they can get anywhere on those services. 

0 Kudos
handiansudianto
Advisor

so how back again to my previous question, how we can limit access 10.10.10.10 only to youtube?

0 Kudos
emmap
Employee
Employee

Add a rule in the Application policy below the one that allows Youtube that drops everything else. 

0 Kudos
handiansudianto
Advisor

Can you write the rule here?

0 Kudos
emmap
Employee
Employee
  • source : 10.10.10.10
  • Destination : any
  • Action : drop
  • service : http, https
0 Kudos
handiansudianto
Advisor

The completed rule is :

  • Network Layer :
    • source : 10.10.10.10
    • Destination : any
    • service : http, https
    • Action : drop
  • Application Layer :
    • source : 10.10.10.10
    • destination : any
    • service & application : youtube
    • action : accept

Am i right?

Why we no put 'Any' in the service? If only drop http and https, this mean the host still can access to other port such as 8080,1433 etc.

 

0 Kudos
emmap
Employee
Employee

No.

The connection must be allowed on a rule in the Network layer before it can get to the Application layer. So it must match an Accept rule on there. The connection must then match a rule on the Application layer, else it will match the default action that's configured on the layer. Assuming your Application layer is still at its default of 'accept but don't log', if you want traffic that doesn't match your Youtube rule to be dropped, you must explicitly drop it in another rule on the Application layer below your Youtube rule. 

We don't put 'any' in accept rules at all as a general rule. Given your exercise here is to accept traffic to Youtube, we only need to allow web browsing traffic, hence on the network layer we only need to allow http/https. All other ports can be dropped on that layer. 

0 Kudos
handiansudianto
Advisor

Please confirm is below rule is right or not :

The completed rule is :

  • Network Layer :
    • source : 10.10.10.10
    • Destination : any
    • service : http, https
    • Action : drop
  • Application Layer 1 :
    • source : 10.10.10.10
    • destination : any
    • service & application : youtube
    • action : accept
  • Application Layer 2 :
    • source : 10.10.10.10
    • destination : any
    • service & application : any
    • action : drop
0 Kudos
emmap
Employee
Employee

You're dropping the connection on the Network layer. If you do that, the connection will be dropped before it even reaches the Application layer. 

Connections must be accepted on each layer when using Ordered layers before they will pass through the gateway.

0 Kudos
handiansudianto
Advisor

What about this?

  • Network Layer :
    • source : 10.10.10.10
    • Destination : any
    • service : http, https
    • Action : accept (previously i use drop as your given rule in previous post)
  • Application Layer 1 :
    • source : 10.10.10.10
    • destination : any
    • service & application : youtube
    • action : accept
  • Application Layer 2 :
    • source : 10.10.10.10
    • destination : any
    • service & application : any
    • action : drop
0 Kudos
emmap
Employee
Employee

The drop rule I mentioned was in reference to the second rule in the application layer.

Yes now your 10.10.10.10 host will be allowed to access Youtube on http/https and all other connections will be dropped.

0 Kudos
handiansudianto
Advisor

nice, thanks for your help.

0 Kudos
Bob_Zimmerman
Authority
Authority

With ordered layers, drop is final. Further layers will not be evaluated. Accept is more like "Continue"; it ends that layer's evaluation, then the next layer gets a chance to drop it.

0 Kudos
handiansudianto
Advisor

Hello,

example i want host 10.10.10.10 is able to connect to youtube only. We create application rule to allow youtube for host 10.10.10.10, what should i fill in the network rule? Should i permit host 10.10.10.10 to  any?

0 Kudos
Bob_Zimmerman
Authority
Authority

If you have multiple access layers in the policy package, each layer needs a rule to allow the traffic. There is no single correct way to write these rules.

I am perhaps more cautious than many. I would write the access rule as 10.10.10.10 to a negated group containing all the non-public address space (RFC 1918, test networks, experimental networks, loopback, etc.) via https.

0 Kudos
handiansudianto
Advisor

so the rule will be :

  • Network Layer :
    • source : 10.10.10.10
    • Destination : any
    • Action : accept
  • Application Layer :
    • source : 10.10.10.10
    • destination : any
    • service & application : youtube
    • action : accept

Can you confirm?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events