topic Re: Application Control Signature Tool in General Topics

Application Control Signature Tool

Jake_Williams — Fri, 27 Apr 2018 00:29:58 GMT

I'm wondering if anyone out there is using the Application Control Signature Tool referenced in sk103051. Checkpoint support suggested that I use it to write some custom application signatures for cloud-based websites we use (in our case, ADP and YouEarnedIt).

If other people are using it, I'm wondering if there exists (or is interest in) a public repository of rules for sites that CKPT doesn't support. I figure we shouldn't all have to rewrite rules, we should be able to share them.

Re: Application Control Signature Tool

PhoneBoy — Sat, 28 Apr 2018 01:09:41 GMT

Anyone is, of course, welcome to post Application Signatures they've created on CheckMates.

Re: Application Control Signature Tool

Jeff_Engel — Tue, 01 May 2018 01:01:38 GMT

One other way to get apps added to the Application Control database is to provide packet captures of the application in use and any other supporting documentation(for off the shelf apps). This can be accomplished via a support ticket or through your SE. Feel free to ping me if you have questions.

Re: Application Control Signature Tool

Jake_Williams — Tue, 01 May 2018 13:34:21 GMT

I guess I'll get my SE involved - when I requested the applications through support, they sent me to the tool. They didn't ask me any questions about the applications or offer to help get them identified.

Re: Application Control Signature Tool

Jeff_Engel — Tue, 01 May 2018 13:42:35 GMT

Feel free to CC me on those emails. First initial, last name, at checkpoint dot com.

Re: Application Control Signature Tool

Jake_Williams — Tue, 01 May 2018 14:36:32 GMT

Thanks Jeff!

One additional question. Some of the traffic is HTTPS, would we have to have HTTPS inspection enabled in order to get them the traffic captures that they would need?

Re: Application Control Signature Tool

Jeff_Engel — Tue, 01 May 2018 14:52:26 GMT

No problem. Needing the clear traffic is ideal but not always necessary. It really depends on how granular you want the control to be. If there are specific features within the application that you would want to monitor/control then you would likely need the clear traffic capture. Think Facebook Messenger versus regular Facebook. If not, then there is a chance that we can detect it without. Hope that makes sense.