One of the things which were very different from other vendor's firewall when we changed to Checkpoint was the absence of interface(s) in the firewall policy.
Now as Checkpoint introduced network zones and also inline-layers in the policy, isn't it possible to use some kind of template to have similar behavior? Here an example how it could look like for three zone pairs (internal->internet, internal->dmz-public, internal->dmz-private), without actual rules, but I think you get the point:
Then you would add the specific rules in the inline-layers. I see many advantages using this kind of template:
- If you make an error in a rule, only the inline-sublayer (so traffic between those specific zones) will be affected, not the complete firewall
- The firewall engine don't has to check unnecessary rules if zone doesn't match
- Delegate policy administration for a specific zone pair
Is there any reason against doing like this from Checkpoint architecture point of view?