Ordered Layers and Inline Layers

A policy is a set of rules that the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. enforces on incoming and outgoing traffic. There are different policies for Access Control and for Threat Prevention.

You can organize the Access Control rules in more manageable subsets of rules using Ordered Layers and Inline Layers.

The Need for Ordered Layers and Inline Layers

Ordered Layers and Inline Layers helps you manage your cyber security more efficiently. You can:

Order of Rule Enforcement in Inline Layers

The Ordered Layer can contain Inline Layers.

This is an example of an Inline Layer:

No.

Source

Destination

VPN

Services

Action

1

 

 

 

 

 

2

Lab_network

Any

Any

Any

Lab_rules

2.1

Any

Any

Any

https

http

Allow

2.2

Any

Any

Any

Any

Drop

3

 

 

 

 

 

The Inline Layer has a parent rule (Rule 2 in the example), and sub rules (Rules 2.1 and 2.2). The Action of the parent rule is the name of the Inline Layer.

If the packet does not match the parent rule of the Inline Layer, the matching continues to the next rule of the Ordered Layer (Rule 3).

If a packet matches the parent rule of the Inline Layer (Rule 2), the Security Gateway checks it against the sub rules:

  • If the packet matches a sub rule in the Inline Layer (Rule 2.1), no more rule matching is done.

  • If none of the higher rules in the Ordered Layer match the packet, the explicit Cleanup Rule is applied (Rule 2.2). If this rule is missing, the Implicit Cleanup Rule is applied (see Types of Rules in the Rule Base). No more rule matching is done.

Important:

Order of Rule Enforcement in Ordered Layers

When a packet arrives at the Security Gateway, the Security Gateway checks it against the rules in the first Ordered Layer, sequentially from top to bottom, and enforces the first rule that matches a packet.

If the Action of the matching rule is Drop, the Security Gateway stops matching against later rules in the Policy Rule Base and drops the packet. If the Action is Accept, the Security Gateway continues to check rules in the next Ordered Layer.

Item

Description

1

Ordered Layer 1

2

Ordered Layer 2

3

Ordered Layer 3

If none of the rules in the Ordered Layer match the packet, the explicit Default Cleanup Rule is applied. If this rule is missing, the Implicit Cleanup Rule is applied (see Types of Rules in the Rule Base).

Every Ordered Layer has its own implicit cleanup rule. You can configure the rule to Accept or Drop in the Layer settings (see Configuring the Implicit Cleanup Rule).

Important - Always add an explicit Cleanup Rule at the end of each Ordered Layer, and make sure that its Action is the same as the Action of the Implicit Cleanup Rule.

Creating an Inline Layer

An Inline Layer is a sub-policy, which is independent of the rest of the Rule Base.

The workflow for making an Inline Layer is:

  1. Create a parent rule for the Inline Layer. Make a rule that has one or more properties that are the same for all the rules in the Inline Layer. For example, rules that have the same source, or service, or group of users.

  2. Create sub-rules for the Inline Layer. These are rules that define in more detail what to do if the Security Gateway matches a connection to the parent rule. For example, each sub-rule can apply to specified hosts, or users, or services, or Data Types.

Creating an Ordered Layer

Enabling Access Control Features

Before creating the Access Control Policy, you must enable the Access Control features that you will use in the Policy.

Enable the features on the:

Types of Rules in the Rule Base

There are three types of rules in the Rule Base- explicit, implied and implicit.

Explicit rules

The rules that the administrator configures explicitly, to allow or to block traffic based on specified criteria.

Important - The default Cleanup rule is an explicit rule that is added by default to every new layer. You can change or delete the default Cleanup rule. We recommend that you have an explicit Cleanup rule as the last rule in each layer.

Implied rules

The default rules that are available as part of the Global properties configuration and cannot be edited. You can only select the implied rules and configure their position in the Rule Base:

  • First - Applied first, before all other rules in the Rule Base - explicit or implied

  • Last - Applied last, after all other rules in the Rule Base - explicit or implied, but before the Implicit Cleanup Rule

  • Before Last - Applied before the last explicit rule in the Rule Base

Implied rules are configured to allow connections for different services that the Security Gateway uses. For example, the Accept Control Connections rules allow packets that control these services:

Implicit cleanup rule

The default "catch-all" rule for the Layer that deals with traffic that does not match any explicit or implied rules in the Layer. It is made automatically when you create a Layer.

Implicit cleanup rules do not show in the Rule Base.

For Security Gateways R80.10 and higher, the default implicit cleanup rule action is Drop. This is because most Policies have Allow List rules (the Accept action). If the Layer has Blacklist rules (the Drop action), you can change the action of the implicit cleanup rule to Accept in the Layer Editor.

For Security Gateways R77.30 and lower, the action of the implicit rule depends on the Ordered Layer:

  • Drop - for the Network Layer

  • Accept - for a Layer with Applications and URL Filtering enabled

Note - If you change the default values, the policy installation fails on Security Gateway R77.30 or lower.

Order in which the Security Gateway applies the rules

  1. First Implied Rule - No explicit rules can be placed before it.

  2. Explicit Rules - These are the rules that you create.

  3. Before Last Implied Rules - Applied before the last explicit rule.

  4. Last Explicit Rule - We recommend that you use a Cleanup rule as the last explicit rule.

    Note - If you use the Cleanup rule as the last explicit rule, the Last Implied Rule and the Implicit Cleanup Rule are not enforced.

  5. Last Implied Rule - Remember that although this rule is applied after all other explicit and implied rules, the Implicit Cleanup Rule is still applied last.

  6. Implicit Cleanup Rule - The default rule that is applied if none of the rules in the Layer match.

Administrators for Access Control Layers

You can create administrator accounts dedicated to the role of Access Control, with their own installation and SmartConsole Read/Write permissions.

You can also delegate ownership of different Layers to different administrators. See Configuring Permissions for Access Control Layers.

Sharing Layers

You may need to use the same rules in different parts of a Policy, or have the same rules in multiple Policy packages.

There is no need to create the rules multiple times. Define an Ordered Layer or an Inline Layer one time, and mark it as shared. You can then reuse the Inline Layer or Ordered layer in multiple policy packages or use the Inline Layer in multiple places in an Ordered Layer. This is useful, for example, if you are an administrator of a corporation and want to share some of the rules among multiple branches of the corporation:

  • It saves time and prevents mistakes.

  • To change a shared rule in all of the corporation's branches, you must only make the change once.

Visual Division of the Rule Base with Sections

To better manage a policy with a large number of rules, you can use Sections to divide the Rule Base into smaller, logical components. The division is only visual and does not make it possible to delegate administration of different Sections to different administrators.

Managing Policies and Layers

To work with Ordered Layers and Inline Layers in the Access Control Policy, select Menu > Manage policies and layers in SmartConsole.

The Manage policies and layers window shows.

To see the Layer in the policy package and their attributes:

In the Layers pane of the window, you can see:

  • Name - Layer name

  • Number of Rules - Number of rules in the Layer

  • Modifier - The administrator who last changed the Layer configuration.

  • Last Modified -Date the Layer was changed.

  • Show only Shared Layers - A shared Layer has the Multiple policies and rules can use this Layer option selected (see Sharing Layers).

  • Layer Details

    • Used in policies - Policy packages that use the Layer

    • Mode:

      • Ordered - An Ordered Layer. In a Multi-Domain Security Management environment, it includes global rules and a placeholder for local, Domain rules.

      • Inline - An Inline Layer, also known as a Sub-Policy.

      • Not in use - A Layer that is not used in a Policy package.

To see the rules in the Layer:

  1. Select a Layer.

  2. Right-click and select Open layer in policy.