CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 14 of 14

Thread: Can someone explain the sub-section and Inline layer concept with CP R80.10

  1. #1
    Join Date
    2012-06-13
    Posts
    291
    Rep Power
    6

    Default Can someone explain the sub-section and Inline layer concept with CP R80.10

    Hi Guys,

    I am grown up with Legacy CP and finding pretty difficult to understand the subsection and layer concept with R80.10. Hence can someone please explain the fundametals behind sub-section policy and layers/In-line layers?

    E.g. Sub-section
    Lets say I have a rule like
    Number 5
    Source - 192.168.10.0/24
    Dest - Internet
    Service/App - Https accept

    5.1
    source - : access_role _HR [from 192.168.10.x]
    Dest - Internet
    Apps - Job Related
    Action Allowed

    5.2
    source -: Access_role-admin [ from 192.168.10.x]
    Dest - Internet
    App - Social Networking
    Action Blocked

    Implicit Rule -: Blocked

    Inline Layer -: I am still not sure what is inline layer!! can someone please explain?

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,356
    Rep Power
    15

    Default Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    Think of a layer (in general) as a collection of rules.
    Pre-R80, there are basically two layers:

    1. The firewall rulebase
    2. The App Control/URL Filtering rulebase

    For something to be allowed, it must hit an accept rule in both layers (the firewall layer and application control layer).
    These are ORDERED layers in R80+ terms.
    When you upgrade from R77.x management to R80, this is how your rulebases are represented, as two ordered layers.

    In R80.10+ gateways, you have two important capabilities:

    1. Layers can include multiple functions (e.g. Firewall and App Control/URL Filtering)
    2. The ability to use Inline layers

    A rule can have as an "action" something other than a Drop, Accept, etc... but a "layer."
    This means: if the connection matches the specified source/destination, it should be evaluated according to the referred layer.
    Based on that, the connection can be allowed/dropped/etc.

    Layers have some benefits:
    1. You can reuse them (e.g. multiple policies can refer to the same layer)
    2. You can control which administrators can modify a given layer (say, the same people who'd update your web filtering rules)
    3. It makes for a much simpler policy.

    In my home firewall policy, I have five main rules, but I refer to three different inline layers.
    As such I don't need section titles.

    Note that you generally don't mix ordered and inline layers, but you can.
    Of course, you can't get away from ordered layers entirely until you upgrade all your gateways to R80.10+.
    http://phoneboy.com
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2012-06-13
    Posts
    291
    Rep Power
    6

    Default Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    Quote Originally Posted by PhoneBoy View Post
    A rule can have as an "action" something other than a Drop, Accept, etc... but a "layer."
    This means: if the connection matches the specified source/destination, it should be evaluated according to the referred layer.
    Based on that, the connection can be allowed/dropped/etc.
    So in that case if my source is lets say 192.168.10.0/24 and destination is Internet and Layer is appControl then it will be passed to Application and URL Filtering?
    And for subsequent layer my Access role can be source which is coming from 192.168.10.0/24 as source?

  4. #4
    Join Date
    2014-09-02
    Posts
    299
    Rep Power
    10

    Default Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    Quote Originally Posted by blason View Post
    Lets say I have a rule like
    Number 5
    Source - 192.168.10.0/24
    Dest - Internet
    Service/App - Https accept

    5.1
    source - : access_role _HR [from 192.168.10.x]
    Dest - Internet
    Apps - Job Related
    Action Allowed

    5.2
    source -: Access_role-admin [ from 192.168.10.x]
    Dest - Internet
    App - Social Networking
    Action Blocked

    Implicit Rule -: Blocked
    A couple of quick notes...
    - As Phoneboy indicated, the action of Rule 5 would not be Accept or Drop, but rather to fire the "blason's Approved Apps" layer (or whatever name you give it)
    - Access Roles in 5.1 and 5.2 do not have to specify network location, as the source IP has been qualified/matched by source on Rule 5
    - Similarly, you wouldn't have to specify destination in 5.1 and 5.2 (could leave as "any"), as this has been qualified by Rule 5 as well
    - You wouldn't need rule 5.2 due to the implicit drop/cleanup

    Leaving some tenets of a rule as "Any" allows for greater flexibility for "sharing" within other policies/layers. Of course, that should always only be done with caution/reason.

    For example, if the Access Roles used in rules 1 and 2 in the "blason's Approved Apps" policy (which appear as rules 5.1 and 5.2 in your example) are not locked to source networks, then the same in-line layer could more easily be used within a separate policy on another gateway, being fired by a rule that specifies a different source network. So, if we want HR to be able to access "Job Related" apps from other locations, the same in-layer can be used in the policies used on the gateways at those sites.

    -E

  5. #5
    Join Date
    2014-09-02
    Posts
    299
    Rep Power
    10

    Default Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    Let me just take this opportunity to clarify a few things that I've seen a bit of confusion over...

    Layers are not a new thing, not even to Check Point - what's new is calling them "Layers". In one way or another, we've had multiple layers in use as far back as I can remember (and yes, I'm feeling old). What most admins refer to as their "Policy" could more specifically be referred to as a Security Policy, Network Policy, or even (less properly) as a Firewall Policy. That policy is effectively sandwiched between other functions and features (NAT, APCL, IPS, etc.). In recent versions, prior to R80, these policies are actually part of a "Policy Package", and that's what you really create, open and save in SmartDashboard - the Security Policy is just one part of it. In one way of thinking, these are basically an early form of ordered layers. While they can't be truly shared, they can be individually deleted or copied between "packages". Look carefully at your File menu in SmartDashboard to see what I mean.

    So...a Layer is really nothing more than what used to be called a Policy. The change in terms, however, allows us to better conceive of how flexible and powerful the new layers can be. To confuse things more, we still have the "Policy" term, but even that's used at two levels. The top level "Policy" (found in the name of the tab open in "Security Policies" section of SmartConsole) can actually contain separate "policies" for both Access Control and Threat Prevention. It's the policies within Application Control and Threat Prevention that contain layers, both ordered and in-line.

    If you upgrade from R7x to R80.x, your existing Policy Packages are essentially converted to ordered layers, since that's how they need to be applied by R80.x management. Your previous package will be found under "Access Control", showing separate options/layers for Policy, NAT, Desktop, and QoS. Within the Policy layer you'll likely see two ordered layers called "Security" and "Application". Note: until you've upgraded gateways to R80.10+, don't change this layering - it needs to stay pretty much as it is to be installed on pre-80 gateways.

    The really cool, new, fun stuff comes when you've upgraded your gateways to R80.10+ and can start to add additional layers to the policy, either ordered, in-line, or both. As PhoneBoy touched on, this then lends itself to sharing layers (between policies, or even other layers), delegation (allowing administrators control over individual layers), and even consolidation (applying multiple blades within one layer - like security, APCL, and even content awareness).

    I hope I didn't get too off-topic or hijack the thread, it's just that I've been playing with these things for a couple of years and am excited that others are now able to (and interested in) learning and taking advantage. Please keep the questions coming!

    -E

  6. #6
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,356
    Rep Power
    15

    Default Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    You didn't hijack, you were just a little more verbose than I was.
    http://phoneboy.com
    Unless otherwise noted, views expressed are my own

  7. #7
    Join Date
    2014-09-02
    Posts
    299
    Rep Power
    10

    Default Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    Quote Originally Posted by PhoneBoy View Post
    you were just a little more verbose than I was
    What, me? Verbose? Never. I'm also never sarcastic (or use parentheses).

    I'll definitely admit that I can ramble on a bit, especially when I get passionate and excited about something (there are at least a few members here that know me well enough to confirm). I look forward to the years to come, and seeing the use of layers evolve to a point that we forget how we ever lived without them.

    On a not-quite-on-topic, but not-quite-unrelated side-question: Phoneboy, do you know of any roadmap/plan to allow shared layers to be installed across all gateways/policies that they're used in, without having to install the entire policy to a gateway? I sense a RFE in my future...

    -E

  8. #8
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,356
    Rep Power
    15

    Default Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    Quote Originally Posted by EricAnderson View Post
    On a not-quite-on-topic, but not-quite-unrelated side-question: Phoneboy, do you know of any roadmap/plan to allow shared layers to be installed across all gateways/policies that they're used in, without having to install the entire policy to a gateway? I sense a RFE in my future...
    Pretty sure this is in the roadmap.
    That would definitely make them more useful
    http://phoneboy.com
    Unless otherwise noted, views expressed are my own

  9. #9
    Join Date
    2012-06-13
    Posts
    291
    Rep Power
    6

    Default Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    Thanks a ton E for being such descrivptive and PhoneBot for being precise

    Though I am still not confident on migrating from R7.x to R80.x and feel bit nervous as most of the things are changed completely. Wondering how any one can even troubleshoot.

    BTW my question to community is; what is the success rate of R80.x in Production environment and how many have migrated to R80.x from R7x.

    Only +ve for me and :must must" feature is VPN/BackUp VPN/ISP redundancy/PBR when ISP Redundancy is on and dynamic protocols compatibility that way CP can really compete with other vendors who are really coming very strong

  10. #10
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    606
    Rep Power
    5

    Default Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    Quote Originally Posted by blason View Post
    Thanks a ton E for being such descrivptive and PhoneBot for being precise

    Though I am still not confident on migrating from R7.x to R80.x and feel bit nervous as most of the things are changed completely. Wondering how any one can even troubleshoot.

    BTW my question to community is; what is the success rate of R80.x in Production environment and how many have migrated to R80.x from R7x.

    Only +ve for me and :must must" feature is VPN/BackUp VPN/ISP redundancy/PBR when ISP Redundancy is on and dynamic protocols compatibility that way CP can really compete with other vendors who are really coming very strong
    This is similar to guys getting married: thing go very well for them and they hope things will stay the same after it.
    Take away message: if you're married get R80, if not let it mature then we will all use it.

  11. #11
    Join Date
    2014-09-02
    Posts
    299
    Rep Power
    10

    Default Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    Quote Originally Posted by laf_c View Post
    This is similar to guys getting married: thing go very well for them and they hope things will stay the same after it.
    Take away message: if you're married get R80, if not let it mature then we will all use it.
    But...after a few years, aren't you supposed to trade your spouse in for a newer model?
    (not that she'll read this, but I'm actually happily married for many years, and not shopping)

    I usually fall back on the "If it ain't broke, don't fix it" quote. Paraphrased, that means that if a product is doing what you need it to and isn't bogging you down with bugs or limitations, don't go messing with it. Being on the bleeding-edge can be fun, but also risky. I only recommend clients upgrade when there are reasons to. For R80, the reasons can be numerous, as can the risks.

    -E

  12. #12
    Join Date
    2014-09-02
    Posts
    299
    Rep Power
    10

    Default Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    Quote Originally Posted by blason View Post
    Thanks a ton E for being such descrivptive and PhoneBot for being precise
    LOL. If I didn't know him personally, I'd seriously wonder if he was a "bot".

    Quote Originally Posted by blason View Post
    Though I am still not confident on migrating from R7.x to R80.x and feel bit nervous as most of the things are changed completely. Wondering how any one can even troubleshoot.

    BTW my question to community is; what is the success rate of R80.x in Production environment and how many have migrated to R80.x from R7x.

    Only +ve for me and :must must" feature is VPN/BackUp VPN/ISP redundancy/PBR when ISP Redundancy is on and dynamic protocols compatibility that way CP can really compete with other vendors who are really coming very strong
    We've been installing R80 for management for new customers for about a year. That was driven primarily by not wanting them to have to re-learn everything we teach them fairly soon (with the major changes in R80.x), and to avoid a big upgrade procedure in the near future. This also allows them to take advantage of many R80 enhancements, such as simultaneous administrator sessions. "Success rate" has been very high.

    More recently, we've performed a number of upgrades of management from R7x to R80.10. While most have gone easily and flawlessly, others have been a bit more "interesting". Most issues have been either performance related (clients trying to use undersized hardware), or stem from things that weren't being done "correctly" before-hand (like bad naming conventions). Almost all problems have been easily mitigated, or workarounds devised. I'm not saying that the process isn't without issues, and there are still some limitations that cause us to hold off in many cases.

    Of course, new gateways were (and often still are) deployed as R77.30, and upgrading existing gateways is still rather rare. Unless you plan to take advantage of new capabilities (especially layers), there isn't as compelling of a reason to deploy gateways as R80.10. As people develop a better understanding of how to use layers (and other new enhancements), and as we all gain more trust in stability and performance, we'll see a significant uptick in R80.10 gateways.

    Most of the "must must" features you mentioned (VPN, ISP Redundancy, PBR) haven't really changed. Two of them (excluding VPN) are tied more to the operating system (Gaia) than to the firewall software. While R80 gives an updated look to Gaia, it hasn't really changed much in core functionality.


    -E

  13. #13
    Join Date
    2016-06-10
    Posts
    6
    Rep Power
    0

    Default Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    Quote Originally Posted by PhoneBoy View Post
    Pretty sure this is in the roadmap.
    That would definitely make them more useful
    yes, this is on the roadmap.

  14. #14
    Join Date
    2014-09-02
    Posts
    299
    Rep Power
    10

    Default Re: Can someone explain the sub-section and Inline layer concept with CP R80.10

    Quote Originally Posted by tomersole' View Post
    yes, this is on the roadmap.
    Good to hear. Thanks for the confirmation!

    -E

Similar Threads

  1. Inline layer what is that?
    By blason in forum R80
    Replies: 3
    Last Post: 2017-05-21, 04:48
  2. Split Tunnel Concept in Checkpoint Firewall
    By m_1607 in forum Check Point UTM-1 Appliances
    Replies: 1
    Last Post: 2013-09-10, 10:42
  3. Layer 2 or Layer 3 Firewall
    By cpguy in forum Miscellaneous
    Replies: 5
    Last Post: 2013-07-27, 02:24
  4. Partially overlapping (RAS) VPN Domains, concept questions
    By warriar in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2010-08-30, 02:30
  5. Eth1 Ethernet Layer vs. Eth1c0 IP Layer
    By mcarey in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 0
    Last Post: 2008-05-28, 10:23

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •