Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ismar_Efendic
Participant
Jump to solution

Policy and multiple layers behavior

Hello

could you please guide me understanding how rule base checks are done with different layers?

for example i have one policy with 3 layers, 2 layers are shared. when the incoming connection comes will this mean it will first for thru first layer then second and third then get dropped or the first drop rule hit? 

thank you

ismar

0 Kudos
1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor

see this guide for clarity Layers in R80

View solution in original post

0 Kudos
7 Replies
Tomer_Sole
Mentor
Mentor

see this guide for clarity Layers in R80

0 Kudos
Ismar_Efendic
Participant

thank you great help

could you direct me to more detail explanation when defining Ordered layers?

do we only need clean up rule in last layer?

thank you

0 Kudos
Tomer_Sole
Mentor
Mentor

Please see the following guides for:

Regarding cleanup rules:

You don't have to define clean up rules explicitly. Each layer has an implicit cleanup rule - either any any accept, or any any drop.

In R7x SmartDashboard we had this generalized - implicit any any drop for the Firewall policy and implicit any any accept for the Application Control policy.

You can control the implicit cleanup rule when you edit a layer and go the the "Advanced" page:

implicit-cleanup.png

Although it's usually a good best practice to create that cleanup rule explicitly on the rulebase.

0 Kudos
Ismar_Efendic
Participant

And last thing from my on this topic, is it possibly to have 2 Firewall layers in one Policy?

Tomer_Sole
Mentor
Mentor

Only for R80.10 GW's and above. Having more than 1 ordered layer for Firewall for pre-R80 GW's will fail policy installation.

Let me know if you have other questions for layers in R80. Other than the discussions that I've linked so far, you can also check the admin guide for general recommendations.

0 Kudos
Ismar_Efendic
Participant

Is this also same for Inline Layer?

When will R80 be available for GW's?

0 Kudos
Tomer_Sole
Mentor
Mentor

Yes, inline layers have the same editor, and they have the same settings for the implicit cleanup rule.

Using inline layers requires an R80.10 GW, but because R80.10 will be a minor release, the Security Management server and SmartConsole applications are already prepared for designing this type of policies.

For R80.10 release date it is best to follow the Check Point Release Plan.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events