https://community.checkpoint.com/t5/General-Topics/Rewriting-internet-access-policy/m-p/256224#M43144 <P>Our current rule base is pretty old, two ordered layers - access and appcontrol\url, and i'm going to rewrite utilizing just one combined layer.&nbsp; A few questions</P> <UL> <LI>Our current representation of the internet in policy is a negated group of all internal networks.&nbsp; I want to start using the "internet" object but seeing unexpected behavior.&nbsp; My understanding of this object is any traffic that leaves on an "external" interface, that doesn't go through a VPN.&nbsp; But..i'm seeing traffic that leaves on the external interface via a 2s2 tunnel being caught by this rule.&nbsp; The tunnel is managed by our management server.&nbsp; Is this considered correct behavior?</LI> </UL> <P>&nbsp;</P> <UL> <LI>All relevant blades are enabled: https inspection, app control, url filtering. <UL> <LI>Let's say for O365 - would y'all use the "Office365 Worldwide Services" updatable object, or the "Microsoft &amp; Office365 Services" url category, or the many application objects?&nbsp; What's really the difference between these 3 very different methods of allowing traffic?</LI> </UL> </LI> </UL> <P>Many thanks.</P> <P>&nbsp;</P> <P>I just noticed that i show many more URL categories in dashboard than are listed on this URL:&nbsp;&nbsp;<A href="https://usercenter.checkpoint.com/ucapps/urlcat/categories" target="_blank">https://usercenter.checkpoint.com/ucapps/urlcat/categories</A>.&nbsp; Does anyone know if there is an updated list somewhere, i need to forward on to a few folks.&nbsp; thanks</P> Fri, 29 Aug 2025 18:49:15 GMT D_TK 2025-08-29T18:49:15Z https://community.checkpoint.com/t5/General-Topics/Rewriting-internet-access-policy/m-p/256224#M43144 <P>Our current rule base is pretty old, two ordered layers - access and appcontrol\url, and i'm going to rewrite utilizing just one combined layer.&nbsp; A few questions</P> <UL> <LI>Our current representation of the internet in policy is a negated group of all internal networks.&nbsp; I want to start using the "internet" object but seeing unexpected behavior.&nbsp; My understanding of this object is any traffic that leaves on an "external" interface, that doesn't go through a VPN.&nbsp; But..i'm seeing traffic that leaves on the external interface via a 2s2 tunnel being caught by this rule.&nbsp; The tunnel is managed by our management server.&nbsp; Is this considered correct behavior?</LI> </UL> <P>&nbsp;</P> <UL> <LI>All relevant blades are enabled: https inspection, app control, url filtering. <UL> <LI>Let's say for O365 - would y'all use the "Office365 Worldwide Services" updatable object, or the "Microsoft &amp; Office365 Services" url category, or the many application objects?&nbsp; What's really the difference between these 3 very different methods of allowing traffic?</LI> </UL> </LI> </UL> <P>Many thanks.</P> <P>&nbsp;</P> <P>I just noticed that i show many more URL categories in dashboard than are listed on this URL:&nbsp;&nbsp;<A href="https://usercenter.checkpoint.com/ucapps/urlcat/categories" target="_blank">https://usercenter.checkpoint.com/ucapps/urlcat/categories</A>.&nbsp; Does anyone know if there is an updated list somewhere, i need to forward on to a few folks.&nbsp; thanks</P> Fri, 29 Aug 2025 18:49:15 GMT https://community.checkpoint.com/t5/General-Topics/Rewriting-internet-access-policy/m-p/256224#M43144 D_TK 2025-08-29T18:49:15Z https://community.checkpoint.com/t5/General-Topics/Rewriting-internet-access-policy/m-p/256226#M43145 <P>If I were you, I would do this...but this is just my personal opnion, though I have not had any issues with this approach in the lab or any clients.</P> <P>1) in ordered network layer, just have as many inline layers as needed, representing each interface (tied to a zone) and remove any rules with 0 hits, just to clean it up</P> <P>2) have urlf + appc layer, with simply those blades enabled and yes, you can use Internet object as destination</P> <P>Just make sure traffic is allowed on all ordered layers, ie you can have any any allow at the bottom of the last ordered layer, thats fine.</P> <P>I attached doc I made while back with some screenshots. I know its related to https inspection, but you get an idea.</P> <P>Andy</P> Fri, 29 Aug 2025 19:05:07 GMT https://community.checkpoint.com/t5/General-Topics/Rewriting-internet-access-policy/m-p/256226#M43145 the_rock 2025-08-29T19:05:07Z https://community.checkpoint.com/t5/General-Topics/Rewriting-internet-access-policy/m-p/256231#M43147 <P>Updatable Objects fundamentally use a programmatic list provided by the vendor.<BR />Updatable Objects do not require advanced blades to use, but if the Updatable Object is wrong, you may miss something.</P> <P>Microsoft &amp; Office365 Services uses Application Control signatures similar to the individual app signatures, which are there for granularity sake.<BR />This isn't tied to IP addresses, but it definitely requires App Control/URL Filtering, which means traffic must pass through Medium Path to be properly detected.<BR />App Control is definitely required to restrict Office 365 to a specific tenant:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk146993" target="_blank">https://support.checkpoint.com/results/sk/sk146993</A>&nbsp;</P> <P>There are actually two types of categories: App Control categories (which use signatures) and URL Filtering categories (which are by URL).<BR />They are shown together in the UI.</P> Fri, 29 Aug 2025 21:03:35 GMT https://community.checkpoint.com/t5/General-Topics/Rewriting-internet-access-policy/m-p/256231#M43147 PhoneBoy 2025-08-29T21:03:35Z