AnsweredAssumed Answered

Inline layer question

Question asked by Ted Hotchkiss on Feb 8, 2018
Latest reply on Feb 21, 2018 by Ted Hotchkiss

We are beginning to implement additional features with R80.10 since upgrading a couple months back, and I am attempting to construct an Inline Layer to address a specific source (domain), destination internal server, and to the smtp service only. In the first screenshot we see the existing and partially redacted rule. Rule 46 was initially constructed to audit the wide-open 'Any' source in Rule 47, and we are creating the Inline layer with Rule 46. The native unmodified rules:

Current unmodified rule

 

So modifying Rule 46 we have constructed the inline layer thusly:

Inline layer, first attempt

 

Several questions immediately come to mind, and I cannot wrap my brain around it fully enough. In no particular order:

 

1. When I have the cleanup rule (46.3 above) in a different capacity other than "Any/Any/Drop(Allow)" and on "Policy Targets", I get the message about the missing cleanup rule. I'm real close to grasping the Any/Any in later questions, but the policy targets still leaves me wondering. The policy is already defined/associated with this specific cluster, but we still employ the manual method of specifying the cluster on the 'Install On' field as a safeguard. When doing so, we are alerted with the "missing cleanup rule...." message. Wondering why, and whats the impact either way?

 

2. I thought the point of creating the inline layer was to segment a specific traffic flow to allow/deny it accordingly. Since creating a specific src/dst/svc inline layer, why must there be a broader 'any/any' cleanup rule? A certain type of logic would indicate that after allowing a specific src/dst/svc, at some point we should deny remaining sources (Any) to the same dest and service.

 

3. In another thread on CheckMates, it is stated:

"The way that inline layers work is the following: When the connection matches a parent rule that its action is an inline layer, the inline layer rules get evaluated.

Every inline layer (and also every layer) has an implicit cleanup rule that is either "any any accept" or "any any drop" set in its properties under "advanced". This means that once you go inside an inline layer, you cannot go outside back to the main layer, therefore rules in the inline layer cannot block rules that reside below the parent rule that holds them. Giving an admin the permission to only edit an inline layer will not affect the main layer that holds it."

 

I posit #3 and equate it to a roach motel...once the packet checks in (matching the parent rule) it cannot check out (inline layer cleanup rule). It is in essence a mini-policy within the main policy. Again I cycle back to why the any/any broad cleanup rule.

 

#Headache

 

This last screenshot leaves me with no "missing cleanup rule" errors, but also brings me back to the questions above and my cyclical head-scratching....

Any/any cleanup rule with no errors thrown

 

 

Long post short...why is this last screenshot correct, and what impact if any is there for the 250+ rules in the rest of this policy if we leave it in this last incarnation?

 

Many many thanks!

inline layers

manage layers

layers-best-practices

Outcomes