Ordered Layers and
A policy is a set of rules that the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. enforces on incoming and outgoing traffic. There are different policies for Access Control and for Threat Prevention.
You can organize the Access Control rules in more manageable subsets of rules using Ordered Layers and .
The Need for Ordered Layers and
Ordered Layers and helps you manage your cyber security more efficiently. You can:
-
Simplify the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase., or organize parts of it for specific purposes.
-
Organize the Policy into a hierarchy, using Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base.
, rather than having a flatAn Rule Base.
is a sub-policy which is independent of the rest of the -
Reuse Ordered Layers in multiple Policy packages, and reuse in multiple Layers.
-
Simplify the management of the Policy by delegating ownership of different Layers to different administrators.
-
Improve performance by reducing the number of rules in a Layer.
Order of Rule Enforcement in
The Ordered Layer can contain .
This is an example of an
:The
has a parent rule (Rule 2 in the example), and sub rules (Rules 2.1 and 2.2). The Action of the parent rule is the name of the .If the packet does not match the parent rule of the Layer (Rule 3).
, the matching continues to the next rule of the OrderedIf a packet matches the parent rule of the Security Gateway checks it against the sub rules:
(Rule 2), the-
If the packet matches a sub rule in the
(Rule 2.1), no more rule matching is done. -
If none of the higher rules in the Ordered Layer match the packet, the explicit Cleanup Rule is applied (Rule 2.2). If this rule is missing, the Implicit Cleanup Rule is applied (see Types of Rules in the Rule Base). No more rule matching is done.
|
Important:
|
Order of Rule Enforcement in Ordered Layers
When a packet arrives at the Security Gateway, the Security Gateway checks it against the rules in the first Ordered Layer, sequentially from top to bottom, and enforces the first rule that matches a packet.
If the Action of the matching rule is Drop, the Security Gateway stops matching against later rules in the Policy Rule Base and drops the packet. If the Action is Accept, the Security Gateway continues to check rules in the next Ordered Layer.
Item |
Description |
---|---|
1 |
Ordered Layer 1 |
2 |
Ordered Layer 2 |
3 |
Ordered Layer 3 |
If none of the rules in the Ordered Layer match the packet, the explicit Default Cleanup Rule is applied. If this rule is missing, the Implicit Cleanup Rule is applied (see Types of Rules in the Rule Base).
Every Ordered Layer has its own implicit cleanup rule. You can configure the rule to Accept or Drop in the Layer settings. (see Configuring the Implicit Cleanup Rule).
|
Important:
|
Creating an
An Rule Base.
is a sub-policy, which is independent of the rest of theThe workflow for making an
is:-
Create a parent rule for the
. Make a rule that has one or more properties that are the same for all the rules in the . For example, rules that have the same source, or service, or group of users. -
Create sub-rules for the Security Gateway matches a connection to the parent rule. For example, each sub-rule can apply to specified hosts, or users, or services, or Data Types.
. These are rules that define in more detail what to do if the
-
Add a rule to the Ordered Layer. This is the parent rule.
-
In the Source, Destination, VPN, and Services & Applications cells, define the match conditions for the .
-
Click the Action cell of the rule. Instead of selecting a standard action, select > New Layer.
-
The Layer Editor window opens.
-
Configure the properties of the
:-
Enable one or more of these Blades for the rules of :
- Firewall
-
Application & URL Filtering
-
Content Awareness
-
Mobile Access
-
Optional: It is a best practice to share Layers with other Policy packages when possible. To enable this select Multiple policies can use this layer.
-
Click Advanced.
-
Configure the Implicit Cleanup Rule to Drop or Accept (see Types of Rules in the Rule Base).
-
Click OK.
The name of the Action cell of the rule.
shows in the -
-
Under the parent rule of the
, add sub-rules. -
Make sure there is an explicit cleanup rule as the last rule of the Types of Rules in the Rule Base).
. (see
|
Note - A Remote Access VPN community object is not supported in the parent rule of an if the action is " ". To resolve this issue: Use "*Any" in the parent rule instead of the Remote Access VPN community object. You can use the Remote Access VPN community object in the rules in the inline layer. |
Creating an Ordered Layer
-
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click > Manage Policies and Layers.
-
In the left pane, click Layers.
You will see a list of the Layers. You can select Show only shared Layers.
-
Click the New icon in the upper toolbar.
-
Configure the settings in the Layer Editor window.
-
Optional: It is a best practice to share Layers with other Policy packages when possible. To enable this select Multiple policies can use this layer.
-
Click OK.
-
Click Close.
-
Publish the SmartConsole session.
This Ordered Layer is not yet assigned to a Policy Package Collection of different types of Security Policies, such as Access Control, Threat Prevention, QoS, and Desktop Security. After installation, Security Gateways enforce all Policies in the Policy Package..
-
In SmartConsole, click Security Policies.
-
Right-click a Layer in the Access Control Policy section and select Edit Policy.
The Policy window opens.
-
In the Access Control section, click the plus sign.
You will see a list of the Layers that you can add. These are Layers that have Multiple policies can use this layer enabled.
-
Select the Layer.
-
Click OK.
-
Publish the SmartConsole session.
-
In SmartConsole, click Security Policies.
-
Right-click a Layer in the Access Control Policy section, and select Edit Policy.
The Policy window opens.
-
In the Access Control section, click the plus sign.
-
Click New Layer.
The Layer Editor window opens and shows the General view.
-
Enable Application & URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. on the Layer.
-
Enter a name for the Layer.
We recommend the name Application.
-
In the Blades section, select Application & URL Filtering.
-
Click OK and the Layer Editor window closes.
-
Click OK and the Policy window closes.
-
-
Publish the SmartConsole session.
Enabling Access Control Features
Before creating the Access Control Policy, you must enable the Access Control features that you will use in the Policy.
Enable the features on the:
-
Security Gateways, on which you will install the Policy.
-
Ordered Layers and of the Policy. Here you can enable:
-
Firewall. This includes VPN (see VPN Column).
-
Application & URL Filtering (see Services & Applications Column).
-
Content Awareness (see Content Column).
-
Mobile Access (see Mobile Access to the Network).
-
-
In SmartConsole, from the left navigation panel, click Gateways & Servers and double-click the Security Gateway object.
The General Properties window of the Security Gateway opens.
-
From the navigation tree, click General Properties.
-
In the Network Security tab, select one or more of these Access Control features:
-
IPsec VPN
-
Mobile Access
-
Application Control
-
URL Filtering
-
Content Awareness
-
Identity Awareness
-
-
Click OK.
To enable the Access Control features on an Ordered Layer:
-
In SmartConsole, click Security Policies.
-
Under Access Control, right-click Policy and select Edit Policy.
-
Click options for the Layer.
-
Click Edit Layer.
The Layer Editor window opens and shows the General view.
-
Enable the Blades that you will use in the Ordered Layer:
-
Firewall.
-
Application & URL Filtering
-
Content Awareness
-
Mobile Access
-
-
Click OK.
-
In SmartConsole, click Security Policies.
-
Select the Ordered Layer.
-
In the parent rule of the Action column, and select > Edit Layer.
, right-click the -
Enable the Blades that you will use in the :
- Firewall
-
Application & URL Filtering
-
Content Awareness
-
Mobile Access
Note - Do not enable a Blade that is not enabled in the Ordered Layer.
-
Click OK.
Types of Rules in the Rule Base
There are three types of rules in the Rule Base- explicit, implied and implicit.
Explicit rules
The rules that the administrator configures explicitly, to allow or to block traffic based on specified criteria.
Important - The default Cleanup rule is an explicit rule that is added by default to every new layer. You can change or delete the default Cleanup rule. We recommend that you have an explicit Cleanup rule as the last rule in each layer. |
Implied rules
The default rules that are available as part of the Global properties configuration and cannot be edited. You can only select the implied rules and configure their position in the Rule Base:
-
First - Applied first, before all other rules in the Rule Base - explicit or implied
-
Last - Applied last, after all other rules in the Rule Base - explicit or implied, but before the Implicit Cleanup Rule
-
Before Last - Applied before the last explicit rule in the Rule Base
Implied rules are configured to allow connections for different services that the Security Gateway uses. For example, the Accept Control Connections rules allow packets that control these services:
-
Installation of the security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on a Security Gateway
-
Sending logs from a Security Gateway to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.
-
Connecting to third party application servers, such as RADIUS and TACACS authentication servers
Implicit cleanup rule
The default "catch-all" rule for the Layer that deals with traffic that does not match any explicit or implied rules in the Layer. It is made automatically when you create a Layer.
Implicit cleanup rules do not show in the Rule Base.
For Security Gateways R80.10 and higher, the default implicit cleanup rule action is Drop. This is because most Policies have Whitelist rules (the Accept action). If the Layer has Blacklist rules (the Drop action), you can change the action of the implicit cleanup rule to Accept in the Layer Editor.
For Security Gateways R77.30 and lower, the action of the implicit rule depends on the Ordered Layer:
-
Drop - for the Network Layer
-
Accept - for a Layer with Applications and URL Filtering enabled
Note - If you change the default values, the policy installation fails on Security Gateway R77.30 or lower. |
Order in which the Security Gateway applies the rules
-
First Implied Rule - No explicit rules can be placed before it.
-
Explicit Rules - These are the rules that you create.
-
Before Last Implied Rules - Applied before the last explicit rule.
-
Last Explicit Rule - We recommend that you use a Cleanup rule as the last explicit rule.
Note - If you use the Cleanup rule as the last explicit rule, the Last Implied Rule and the Implicit Cleanup Rule are not enforced.
-
Last Implied Rule - Remember that although this rule is applied after all other explicit and implied rules, the Implicit Cleanup Rule is still applied last.
-
Implicit Cleanup Rule - The default rule that is applied if none of the rules in the Layer match.
Some of the implied rules are enabled by default. You can change the default configuration as necessary.
To configure the implied rules:
-
In SmartConsole, select the Access Control Policy.
-
From the toolbar above the policy, select Actions > Implied Rules.
The Implied Policy window opens.
-
In the left pane, click Configuration.
-
Select a rule to enable it, or clear a rule to disable it.
-
For the enabled rules, select the position of the rules in the Rule Base: First, Last, or Before Last (see Types of Rules in the Rule Base).
-
Click OK and install the policy.
In SmartConsole, from the Security Policies View, select Actions > Implied Rules.
The Implied Policy window opens.
It shows only the implied rules, not the explicit rules.
To configure the Implicit Cleanup Rule:
-
In SmartConsole, click > Manage Policies and Layers.
-
In the left pane, click Layers.
-
Select a Layer and click Edit.
The Layer Editor opens.
-
Click Advanced
-
Configure the Implicit Cleanup Rule to Drop or Accept.
-
Click OK.
-
Click Close.
-
Publish the SmartConsole session.
Administrators for Access Control Layers
You can create administrator accounts dedicated to the role of Access Control, with their own installation and SmartConsole Read/Write permissions.
You can also delegate ownership of different Layers to different administrators. See Configuring Permissions for Access Control Layers.
Sharing Layers
You may need to use the same rules in different parts of a Policy, or have the same rules in multiple Policy packages.
There is no need to create the rules multiple times. Define an Ordered Layer or an one time, and mark it as shared. You can then reuse the or Ordered layer in multiple policy packages or use the in multiple places in an Ordered Layer. This is useful, for example, if you are an administrator of a corporation and want to share some of the rules among multiple branches of the corporation:
-
It saves time and prevents mistakes.
-
To change a shared rule in all of the corporation's branches, you must only make the change once.
-
In SmartConsole, click > Manage policies and layers.
-
In the left pane, click Layers.
-
Select a Layer in Access Control or in Threat Prevention.
-
Right-click and select Edit Layer.
-
Configure the settings in the Layer Editor window.
-
In General, select Multiple policies and rules can use this layer.
-
Click OK.
-
Click Close.
-
Publish the SmartConsole session.
-
In SmartConsole, go to > Manage policies and layers > Policies.
-
Right-click the required policy and click Edit. The policy properties window opens.
-
In the Threat Prevention box, click the + sign.
-
Select the layer you want to include in this policy package.
-
Click OK.
-
Close the policy properties window.
-
In SmartConsole, install the policy.
-
Repeat this procedure for all policy packages.
For examples of Layer, see Use Cases for the Unified Rule Base.
and OrderedVisual Division of the Rule Base with Sections
To better manage a policy with a large number of rules, you can use Sections to divide the Rule Base into smaller, logical components. The division is only visual and does not make it possible to delegate administration of different Sections to different administrators.
You can export Layer rules to a .CSV file. You can open and change the .CSV file in a spreadsheet application such as Microsoft Excel.
To export Layer rules to a .CSV file:
-
In SmartConsole, click > Manage Policies and Layers.
The Manage Layers window opens.
-
Click Layers.
-
Select a Layer, and then click Actions > Export selected Layer.
-
Enter a path and file name.
Managing Policies and Layers
To work with Ordered Layers and in the Access Control Policy, select > Manage policies and layers in SmartConsole.
The Manage policies and layers window shows.
To see the Layer in the policy package and their attributes:
In the Layers pane of the window, you can see:
-
Name - Layer name
-
Number of Rules - Number of rules in the Layer
-
Modifier - The administrator who last changed the Layer configuration.
-
Last Modified -Date the Layer was changed.
-
Show only Shared Layers - A shared Layer has the Multiple policies and rules can use this Layer option selected. (see Sharing Layers).
-
Layer Details
-
Used in policies - Policy packages that use the Layer
-
Mode:
-
Ordered - An Ordered Layer. In a Multi-Domain Security Management environment, it includes global rules and a placeholder for local, Domain rules.
-
Inline - An , also known as a Sub-Policy.
-
Not in use - A Layer that is not used in a Policy package.
-
-
To see the rules in the Layer:
-
Select a Layer.
-
Right-click and select Open layer in policy.