https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enforce-RFC-compliance-for-the-services-protocol/m-p/116536#M16432 <P>Application Control is about letting you use "Facebook Games" and such in a rule. It's like URL Filtering.</P> <P>Basic RFC compliance (like FTP verbs and HTTP verbs) is enforced by a feature called protocol inspection. That does not involve Application Control or any subscription, it's just built right into the firewall.</P> <P>Deeper RFC compliance is more the domain of IPS. Still not Application Control, but a subscription feature commonly covered together.</P> Wed, 21 Apr 2021 15:13:15 GMT Bob_Zimmerman 2021-04-21T15:13:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enforce-RFC-compliance-for-the-services-protocol/m-p/116534#M16430 <P>Hello&nbsp;</P><P>In order to Enforce RFC compliance for the services protocols (for example ftp,http,allow ssh v2 only and block ssh v1 ) do i need application control enabled or not?</P><P>BR<BR />Kostas</P> Wed, 21 Apr 2021 14:34:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enforce-RFC-compliance-for-the-services-protocol/m-p/116534#M16430 KostasGR 2021-04-21T14:34:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enforce-RFC-compliance-for-the-services-protocol/m-p/116535#M16431 <P>I would say no - protocols are mostly analyzed by IPS Core protections. APCL enables you to differentiate between Apps, also ones that use the same protocols.</P> Wed, 21 Apr 2021 14:47:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enforce-RFC-compliance-for-the-services-protocol/m-p/116535#M16431 G_W_Albrecht 2021-04-21T14:47:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enforce-RFC-compliance-for-the-services-protocol/m-p/116536#M16432 <P>Application Control is about letting you use "Facebook Games" and such in a rule. It's like URL Filtering.</P> <P>Basic RFC compliance (like FTP verbs and HTTP verbs) is enforced by a feature called protocol inspection. That does not involve Application Control or any subscription, it's just built right into the firewall.</P> <P>Deeper RFC compliance is more the domain of IPS. Still not Application Control, but a subscription feature commonly covered together.</P> Wed, 21 Apr 2021 15:13:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enforce-RFC-compliance-for-the-services-protocol/m-p/116536#M16432 Bob_Zimmerman 2021-04-21T15:13:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enforce-RFC-compliance-for-the-services-protocol/m-p/116538#M16433 <P>As Gunther said the IPS Core Protections enforce this, along with "Inspection Settings" located under Shared Policies.&nbsp; The IPS blade is not necessary unless you are using an R77.30 or older gateway, where Core Protections and Inspection Settings were originally part of the IPS Blade.&nbsp; In R80.10 and later they are part of the standard Access Policy (Firewall blade) as mentioned in my IPS Immersion video class.</P> Wed, 21 Apr 2021 15:17:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enforce-RFC-compliance-for-the-services-protocol/m-p/116538#M16433 Timothy_Hall 2021-04-21T15:17:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enforce-RFC-compliance-for-the-services-protocol/m-p/116650#M16450 <P>Hello again</P><P>The below is from admin guide for security management r80.40.</P><P>&nbsp;</P><P>Service Matching<BR />The Security Gateway identifies (matches) a service according to IP protocol, TCP and UDP port number,<BR />and protocol signature.<BR />To make it possible for the Security Gateway to match services by protocol signature, you must enable<BR />Application &amp; URL Filtering on the Security Gateway and on the Ordered Layer.<BR />You can configure TCP and UDP services to be matched by source port.</P><P>BR,<BR />Kostas</P> Thu, 22 Apr 2021 15:30:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enforce-RFC-compliance-for-the-services-protocol/m-p/116650#M16450 KostasGR 2021-04-22T15:30:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enforce-RFC-compliance-for-the-services-protocol/m-p/116652#M16451 <P>Protocol inspection is about enforcing some protocol compliance.</P> <P>Protocol signatures are more about differentiating between multiple application-level protocols used over the same port.</P> Thu, 22 Apr 2021 15:35:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enforce-RFC-compliance-for-the-services-protocol/m-p/116652#M16451 Bob_Zimmerman 2021-04-22T15:35:43Z