Ordered Layers and Inline Layers

A policy is a set of rules that the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. enforces on incoming and outgoing traffic. There are different policies for Access Control and for Threat Prevention.

You can organize the Access Control rules in more manageable subsets of rules using Ordered Layers and Inline Layers.

The Need for Ordered Layers and Inline Layers

Ordered Layers and Inline Layers helps you manage your cyber security more efficiently. You can:

Order of Rule Enforcement in Inline Layers

The Ordered Layer can contain Inline Layers.

This is an example of an Inline Layer:

No.

Source

Destination

VPN

Services

Action

1

 

 

 

 

 

2

Lab_network

Any

Any

Any

Lab_rules

2.1

Any

Any

Any

https

http

Allow

2.2

Any

Any

Any

Any

Drop

3

 

 

 

 

 

The Inline Layer has a parent rule (Rule 2 in the example), and sub rules (Rules 2.1 and 2.2). The Action of the parent rule is the name of the Inline Layer.

If the packet does not match the parent rule of the Inline Layer, the matching continues to the next rule of the Ordered Layer (Rule 3).

If a packet matches the parent rule of the Inline Layer (Rule 2), the Security Gateway checks it against the sub rules:

  • If the packet matches a sub rule in the Inline Layer (Rule 2.1), no more rule matching is done.

  • If none of the higher rules in the Ordered Layer match the packet, the explicit Cleanup Rule is applied (Rule 2.2). If this rule is missing, the Implicit Cleanup Rule is applied (see Types of Rules in the Rule Base). No more rule matching is done.

Important:

Order of Rule Enforcement in Ordered Layers

When a packet arrives at the Security Gateway, the Security Gateway checks it against the rules in the first Ordered Layer, sequentially from top to bottom, and enforces the first rule that matches a packet.

If the Action of the matching rule is Drop, the Security Gateway stops matching against later rules in the Policy Rule Base and drops the packet. If the Action is Accept, the Security Gateway continues to check rules in the next Ordered Layer.

Item

Description

1

Ordered Layer 1

2

Ordered Layer 2

3

Ordered Layer 3

If none of the rules in the Ordered Layer match the packet, the explicit Default Cleanup Rule is applied. If this rule is missing, the Implicit Cleanup Rule is applied (see Types of Rules in the Rule Base).

Every Ordered Layer has its own implicit cleanup rule. You can configure the rule to Accept or Drop in the Layer settings. (see Configuring the Implicit Cleanup Rule).

Important:

  • Always add an explicit Cleanup Rule at the end of each Ordered Layer, and make sure that its Action is the same as the Action of the Implicit Cleanup Rule.

  • For Security Gateways R80.10 and lower, the second layer behaves like an Application Control policy.

Creating an Inline Layer

An Inline Layer is a sub-policy, which is independent of the rest of the Rule Base.

The workflow for making an Inline Layer is:

  1. Create a parent rule for the Inline Layer. Make a rule that has one or more properties that are the same for all the rules in the Inline Layer. For example, rules that have the same source, or service, or group of users.

  2. Create sub-rules for the Inline Layer. These are rules that define in more detail what to do if the Security Gateway matches a connection to the parent rule. For example, each sub-rule can apply to specified hosts, or users, or services, or Data Types.

  1. Add a rule to the Ordered Layer. This is the parent rule.

  2. In the Source, Destination, VPN, and Services & Applications cells, define the match conditions for the Inline Layer.

  3. Click the Action cell of the rule. Instead of selecting a standard action, select Inline Layer > New Layer.

  4. The Layer Editor window opens.

  5. Configure the properties of the Inline Layer:

    1. Enable one or more of these Blades for the rules of Inline Layer:

      • Firewall

      • Application & URL Filtering

      • Content Awareness

      • Mobile Access

    2. Optional: It is a best practice to share Layers with other Policy packages when possible. To enable this select Multiple policies can use this layer.

    3. Click Advanced.

    4. Configure the Implicit Cleanup Rule to Drop or Accept (see Types of Rules in the Rule Base).

    5. Click OK.

    The name of the Inline Layer shows in the Action cell of the rule.

  6. Under the parent rule of the Inline Layer, add sub-rules.

  7. Make sure there is an explicit cleanup rule as the last rule of the Inline Layer. (see Types of Rules in the Rule Base).

Note - A Remote Access VPN community object is not supported in the parent rule of an Inline Layer if the action is "Inline Layer".

To resolve this issue: Use "*Any" in the parent rule instead of the Remote Access VPN community object. You can use the Remote Access VPN community object in the rules in the inline layer.

Creating an Ordered Layer

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Menu > Manage Policies and Layers.

  2. In the left pane, click Layers.

    You will see a list of the Layers. You can select Show only shared Layers.

  3. Click the New icon in the upper toolbar.

  4. Configure the settings in the Layer Editor window.

  5. Optional: It is a best practice to share Layers with other Policy packages when possible. To enable this select Multiple policies can use this layer.

  6. Click OK.

  7. Click Close.

  8. Publish the SmartConsole session.

    This Ordered Layer is not yet assigned to a Policy PackageClosed Collection of different types of Security Policies, such as Access Control, Threat Prevention, QoS, and Desktop Security. After installation, Security Gateways enforce all Policies in the Policy Package..

  1. In SmartConsole, click Security Policies.

  2. Right-click a Layer in the Access Control Policy section and select Edit Policy.

    The Policy window opens.

  3. In the Access Control section, click the plus sign.

    You will see a list of the Layers that you can add. These are Layers that have Multiple policies can use this layer enabled.

  4. Select the Layer.

  5. Click OK.

  6. Publish the SmartConsole session.

  1. In SmartConsole, click Security Policies.

  2. Right-click a Layer in the Access Control Policy section, and select Edit Policy.

    The Policy window opens.

  3. In the Access Control section, click the plus sign.

  4. Click New Layer.

    The Layer Editor window opens and shows the General view.

  5. Enable Application & URL FilteringClosed Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. on the Layer.

    1. Enter a name for the Layer.

      We recommend the name Application.

    2. In the Blades section, select Application & URL Filtering.

    3. Click OK and the Layer Editor window closes.

    4. Click OK and the Policy window closes.

  6. Publish the SmartConsole session.

Enabling Access Control Features

Before creating the Access Control Policy, you must enable the Access Control features that you will use in the Policy.

Enable the features on the:

  1. In SmartConsole, from the left navigation panel, click Gateways & Servers and double-click the Security Gateway object.

    The General Properties window of the Security Gateway opens.

  2. From the navigation tree, click General Properties.

  3. In the Network Security tab, select one or more of these Access Control features:

    • IPsec VPN

    • Mobile Access

    • Application Control

    • URL Filtering

    • Content Awareness

    • Identity Awareness

  4. Click OK.

To enable the Access Control features on an Ordered Layer:

  1. In SmartConsole, click Security Policies.

  2. Under Access Control, right-click Policy and select Edit Policy.

  3. Click options for the Layer.

  4. Click Edit Layer.

    The Layer Editor window opens and shows the General view.

  5. Enable the Blades that you will use in the Ordered Layer:

    • Firewall.

    • Application & URL Filtering

    • Content Awareness

    • Mobile Access

  6. Click OK.

  1. In SmartConsole, click Security Policies.

  2. Select the Ordered Layer.

  3. In the parent rule of the Inline Layer, right-click the Action column, and select Inline Layer > Edit Layer.

  4. Enable the Blades that you will use in the Inline Layer:

    • Firewall

    • Application & URL Filtering

    • Content Awareness

    • Mobile Access

    Note - Do not enable a Blade that is not enabled in the Ordered Layer.

  5. Click OK.

Types of Rules in the Rule Base

There are three types of rules in the Rule Base- explicit, implied and implicit.

Explicit rules

The rules that the administrator configures explicitly, to allow or to block traffic based on specified criteria.

Important - The default Cleanup rule is an explicit rule that is added by default to every new layer. You can change or delete the default Cleanup rule. We recommend that you have an explicit Cleanup rule as the last rule in each layer.

Implied rules

The default rules that are available as part of the Global properties configuration and cannot be edited. You can only select the implied rules and configure their position in the Rule Base:

  • First - Applied first, before all other rules in the Rule Base - explicit or implied

  • Last - Applied last, after all other rules in the Rule Base - explicit or implied, but before the Implicit Cleanup Rule

  • Before Last - Applied before the last explicit rule in the Rule Base

Implied rules are configured to allow connections for different services that the Security Gateway uses. For example, the Accept Control Connections rules allow packets that control these services:

Implicit cleanup rule

The default "catch-all" rule for the Layer that deals with traffic that does not match any explicit or implied rules in the Layer. It is made automatically when you create a Layer.

Implicit cleanup rules do not show in the Rule Base.

For Security Gateways R80.10 and higher, the default implicit cleanup rule action is Drop. This is because most Policies have Whitelist rules (the Accept action). If the Layer has Blacklist rules (the Drop action), you can change the action of the implicit cleanup rule to Accept in the Layer Editor.

For Security Gateways R77.30 and lower, the action of the implicit rule depends on the Ordered Layer:

  • Drop - for the Network Layer

  • Accept - for a Layer with Applications and URL Filtering enabled

Note - If you change the default values, the policy installation fails on Security Gateway R77.30 or lower.

Order in which the Security Gateway applies the rules

  1. First Implied Rule - No explicit rules can be placed before it.

  2. Explicit Rules - These are the rules that you create.

  3. Before Last Implied Rules - Applied before the last explicit rule.

  4. Last Explicit Rule - We recommend that you use a Cleanup rule as the last explicit rule.

    Note - If you use the Cleanup rule as the last explicit rule, the Last Implied Rule and the Implicit Cleanup Rule are not enforced.

  5. Last Implied Rule - Remember that although this rule is applied after all other explicit and implied rules, the Implicit Cleanup Rule is still applied last.

  6. Implicit Cleanup Rule - The default rule that is applied if none of the rules in the Layer match.

Some of the implied rules are enabled by default. You can change the default configuration as necessary.

To configure the implied rules:

  1. In SmartConsole, select the Access Control Policy.

  2. From the toolbar above the policy, select Actions > Implied Rules.

    The Implied Policy window opens.

  3. In the left pane, click Configuration.

  4. Select a rule to enable it, or clear a rule to disable it.

  5. For the enabled rules, select the position of the rules in the Rule Base: First, Last, or Before Last (see Types of Rules in the Rule Base).

  6. Click OK and install the policy.

In SmartConsole, from the Security Policies View, select Actions > Implied Rules.

The Implied Policy window opens.

It shows only the implied rules, not the explicit rules.

To configure the Implicit Cleanup Rule:

  1. In SmartConsole, click Menu > Manage Policies and Layers.

  2. In the left pane, click Layers.

  3. Select a Layer and click Edit.

    The Layer Editor opens.

  4. Click Advanced

  5. Configure the Implicit Cleanup Rule to Drop or Accept.

  6. Click OK.

  7. Click Close.

  8. Publish the SmartConsole session.

Administrators for Access Control Layers

You can create administrator accounts dedicated to the role of Access Control, with their own installation and SmartConsole Read/Write permissions.

You can also delegate ownership of different Layers to different administrators. See Configuring Permissions for Access Control Layers.

Sharing Layers

You may need to use the same rules in different parts of a Policy, or have the same rules in multiple Policy packages.

There is no need to create the rules multiple times. Define an Ordered Layer or an Inline Layer one time, and mark it as shared. You can then reuse the Inline Layer or Ordered layer in multiple policy packages or use the Inline Layer in multiple places in an Ordered Layer. This is useful, for example, if you are an administrator of a corporation and want to share some of the rules among multiple branches of the corporation:

  • It saves time and prevents mistakes.

  • To change a shared rule in all of the corporation's branches, you must only make the change once.

  1. In SmartConsole, click Menu > Manage policies and layers.

  2. In the left pane, click Layers.

  3. Select a Layer in Access Control or in Threat Prevention.

  4. Right-click and select Edit Layer.

  5. Configure the settings in the Layer Editor window.

  6. In General, select Multiple policies and rules can use this layer.

  7. Click OK.

  8. Click Close.

  9. Publish the SmartConsole session.

  1. In SmartConsole, go to Menu > Manage policies and layers > Policies.

  2. Right-click the required policy and click Edit. The policy properties window opens.

  3. In the Threat Prevention box, click the + sign.

  4. Select the layer you want to include in this policy package.

  5. Click OK.

  6. Close the policy properties window.

  7. In SmartConsole, install the policy.

  8. Repeat this procedure for all policy packages.

For examples of Inline Layers and Ordered Layer, see Use Cases for the Unified Rule Base.

Visual Division of the Rule Base with Sections

To better manage a policy with a large number of rules, you can use Sections to divide the Rule Base into smaller, logical components. The division is only visual and does not make it possible to delegate administration of different Sections to different administrators.

You can export Layer rules to a .CSV file. You can open and change the .CSV file in a spreadsheet application such as Microsoft Excel.

To export Layer rules to a .CSV file:

  1. In SmartConsole, click Menu > Manage Policies and Layers.

    The Manage Layers window opens.

  2. Click Layers.

  3. Select a Layer, and then click Actions > Export selected Layer.

  4. Enter a path and file name.

Managing Policies and Layers

To work with Ordered Layers and Inline Layers in the Access Control Policy, select Menu > Manage policies and layers in SmartConsole.

The Manage policies and layers window shows.

To see the Layer in the policy package and their attributes:

In the Layers pane of the window, you can see:

  • Name - Layer name

  • Number of Rules - Number of rules in the Layer

  • Modifier - The administrator who last changed the Layer configuration.

  • Last Modified -Date the Layer was changed.

  • Show only Shared Layers - A shared Layer has the Multiple policies and rules can use this Layer option selected. (see Sharing Layers).

  • Layer Details

    • Used in policies - Policy packages that use the Layer

    • Mode:

      • Ordered - An Ordered Layer. In a Multi-Domain Security Management environment, it includes global rules and a placeholder for local, Domain rules.

      • Inline - An Inline Layer, also known as a Sub-Policy.

      • Not in use - A Layer that is not used in a Policy package.

To see the rules in the Layer:

  1. Select a Layer.

  2. Right-click and select Open layer in policy.