topic Re: Allowing web access in General Topics

Allowing web access

Ihenock1011 — Tue, 13 Aug 2024 13:13:22 GMT

Hi All,

I want to allow web access for a user. Will allowing HTTPS traffic on the firewall blade grant web access, or is it necessary to also allow specific websites or applications in the app/URL blade?

Thanks

Re: Allowing web access

the_rock — Tue, 13 Aug 2024 13:30:11 GMT

Sounds like you want to allow them access to any site?

Re: Allowing web access

Ihenock1011 — Tue, 13 Aug 2024 13:36:15 GMT

@the_rock Yea but not social media web access only.

Re: Allowing web access

the_rock — Tue, 13 Aug 2024 13:41:00 GMT

See if my post below helps, except you can skip ssl inspection part, but thats sort of the point for https sites. Anyway, in your case, you need url filtering enabled,you can block social media category, BUT, it will look goofy when user sees it, as block page will NEVER come up without ssl inspection enabled. So, first rule block that category, make sure urlf is enabled on the layer, then 2nd rule allow access to the Internet, thats it.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-lab-guide/m-p/214429#M40929

Re: Allowing web access

Ihenock1011 — Tue, 13 Aug 2024 13:46:59 GMT

Thanks, Andy. You've been very helpful always. That means for every access allowed/blocked on the firewall blade there must be equivalent rule on the app/url blade?

Re: Allowing web access

the_rock — Tue, 13 Aug 2024 14:14:29 GMT

Yes and no. The whole point of doing it blacklist way and NOT whitelist way in urlf layer is because IF you say had any any drop at bottom of that layer, ALL traffic would get dropped, as it has to be allowed on EVERY ordered layer. So say, just as a stupid example, if someone had 100 ordered layers and traffic was allowed on 99 of them and last, 100th layer had any any drop at the bottom, EVERYTHING would be dropped.

Makes sense?

Also, keep in mind that its better traffic processing for urlf blade when you do blacklist approach, because first network later, you allow traffic to the Internet, but since traffic has to traverse EVERY ordered layer, you block whoever you need to block from getting to whatever site in that 2nd layer you see in my guide.

Andy

Re: Allowing web access

the_rock — Tue, 13 Aug 2024 14:15:13 GMT

Does that help @Ihenock1011 , or would you feel more comfortable if we did remote, so I can show you my lab? Though my lab is pretty much same as what I put in the screenshots.

Andy

Re: Allowing web access

Ihenock1011 — Tue, 13 Aug 2024 14:21:17 GMT

@the_rock It helps a lot, but I would love to see it demonstrated in a lab practical. We can do it tomorrow 14/2024 8:00AM-5:00PM. send me the link on private message thanks a lot.

Re: Allowing web access

the_rock — Tue, 13 Aug 2024 15:17:40 GMT

Just message me directly tomorrow.

Andy

Re: Allowing web access

PhoneBoy — Tue, 13 Aug 2024 17:58:10 GMT

Depends on if you want to allow access to all websites (in which case, yes), or only specific ones (e.g. not social media).
In the latter case, you'll need to use App Control/URL Filtering, possibly with HTTPS Inspection.

I'm actually planning to do a session on Web Filtering Best Practices here in the next couple of weeks.
Keep an eye on our event calendar 🙂

Re: Allowing web access

the_rock — Tue, 13 Aug 2024 20:38:27 GMT

@PhoneBoy

Just wanted to say this, as customer joked with me couple of weeks back, he said would it not be cool if Phoneboy "dumped" all his webinars into public link and then he sort of laughed about it , but honestly, I think that would be AWESOME. I know there are people on youtube who actually compile all their videos into public link/forum and if you did the same, Im sure everyone would be happy...just saying 🙂

Andy