APCL/URLF layer structure
At the time of writing, Check Point's own user guide for versions R81 and up contained this incorrect statement:
"5. Create an Application Control Ordered Layer after the Firewall/Network Ordered Layer. Add rules to explicitly drop unwanted or unsafe traffic. Add an explicit cleanup rule at the bottom of the Ordered Layer to accept everything else.
Alternatively, put Application Control rules in an Inline Layer as part of the Firewall/Network rules. In the parent rule of the Inline Layer, define the Source and Destination"
The screenshot from the official documentation is as follows:
Figure 8.31 – Check Point's Best Practices for Access Control Rules error
If you were to follow this recommendation, then traffic to any IP and port on the internet would be allowed, unless explicit rules are present in the APCL/URLF layer to drop it.
Instead, I suggest using the following approach:
