topic Re: Application filter based on risk - do not include URL... in General Topics

Application filter based on risk - do not include URL...

maad-pul — Wed, 21 May 2025 10:20:56 GMT

Hi All!

I have a customer that have exported a list from https://appwiki.checkpoint.com/appwikisdb/public.htm.

The customer will deny and permit some application based on Risk 3-5 (Medium, High, Critical), around applications 50 should be permitted and the rest denied.

I have tried to figured our how I can build an policy for that...

I have created an Application/Site Group with "permitted" Applications and after that I have created a drop for "Critical Risk, High Risk and Medium Risk", my problem is that above Categories also includeds URLs that shouldn´t be dropped.

How can I accomplishabove? To create a group with 10000 applications and drop them seems like the only solution that I have found, which will not be updated with new applications.

Do Check Point offer some kind of pre-defined group for "All Applications" or "Appplication Risk without URLs" that I haven´t found?

Regards

Mattias

Re: Application filter based on risk - do not include URL...

PhoneBoy — Wed, 21 May 2025 12:54:14 GMT

The Risk categories you can use in objects refer to specific applications for which we have a signature (eg AppWiki).
They do not refer to URLs in general, for which you must use one of the URL filtering categories: https://usercenter.checkpoint.com/ucapps/

If your goal is to allow only specific sites and deny the rest, you want explicit allow rules created for those sites and those sites only.

Re: Application filter based on risk - do not include URL...

maad-pul — Wed, 21 May 2025 15:31:00 GMT

Well, Risk categories also included URL Filtering according to https://usercenter.checkpoint.com/ucapps/urlcat/categories

Medium Risk

Applications and Websites that may be misused and cause data leak / malware infection.

Which mean if a use the "Medium Risk" for Dropping Risk 3 (Medium Risk) Applications, I will also drop URLs that Check Point has categories in that section, my intention is just to drop application and I can´t find a nice way to bulid that filter....

Do you understand my problem?

Re: Application filter based on risk - do not include URL...

PhoneBoy — Wed, 21 May 2025 15:51:36 GMT

If you are creating block rules based on broad categories, you may have to make exceptions to permit certain access.
There's a couple ways to do this:

A rule proceeding your block rule that explicitly permits access to the specific site/application (either pre-defined or custom).
Creating a local categorization override: https://support.checkpoint.com/results/sk/sk98489

Re: Application filter based on risk - do not include URL...

maad-pul — Wed, 21 May 2025 15:55:22 GMT

Thanks for information! A Feature Request from me would be to have a either pre-defined object with "All Applications" or segment Risk Categories by Application and URL.

Re: Application filter based on risk - do not include URL...

PhoneBoy — Wed, 21 May 2025 18:48:57 GMT

For URL Filtering, there is a category called "URL Filtering" that matches anything in our URL Filtering database.
There is also an "Uncategorized" category that matches stuff that isn't there.
Also, the assumption is that URL Filtering is using specific web-based ports only.

Applications include things that aren't strictly Web Applications and/or don't use standard web ports.
Allowing access to "All Applications" would also allow access over the relevant ports as well, which would be overly broad and may create performance and/or security issues..
Also note that some application signatures do not work fully unless HTTPS Inspection is used.
Application categories/signatures must be explicitly permitted as a result.