Who rated this post

Ordered can be nice for delegating control to different parallel teams. For example, an incident response team can have a layer for country-based blocking and blocking specific attackers, then the firewall team can control normal firewall rules, then the web filtering team can control Application Control/URL Filtering.

In my experience, inline layers are a headache. Every deployment I've ever seen results in weird drops which the admins don't understand (once traffic is sent to an inline layer, it can't go back up, and cleanup drops get a weird message). Rules wind up in the wrong places (e.g, below a rule which sends the traffic to another layer), and when the problem is identified, the rule gets added in the right place but the incorrect rule is left because getting permission to delete a rule is so painful. Additionally, most policy analysis tools I've tried don't handle inline layers very well.

My company is in the process of flattening our inline layers across the board.