This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
lluner
Advisor
Tuesday
Jump to solution

Custon rules aplication control ?

Has anyone tested the custom rules in the application control? Honestly, I've tested everything and the custom rules don't work; only the rules defined in "app rules" work. For example: I want to create a rule that blocks all versions of Firefox.

0 Kudos
1 Solution

Accepted Solutions
RS_Daniel
Advisor
Advisor
Wednesday
In response to lluner
Jump to solution

Hi,

Just tested with field Issued to and worked fine, attaching the test rule i used. Version E89.05.

View solution in original post

Preview file
16 KB
26 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Tuesday
Jump to solution

Can you please clarify what you define as being a "custom rule" and more specifically if this is being tested with / without HTTPS inspection and with what gateway version & JHF etc?

/Edit: Noted this is an Endpoint query.

CCSM R77/R80/ELITE
0 Kudos
lluner
Advisor
Tuesday
In response to Chris_Atkinson
Jump to solution

@Chris_Atkinson 

These custom rules don't work; only the app rules work. See the images below.Version89.05.5018.pngapp_rules.png2025-12-02_12-44.png

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Tuesday
Jump to solution

Hey brother,

Mind sending a screenshot as an example of what you tested?

Best,
Andy
0 Kudos
Don_Paterson
MVP Gold
MVP Gold
Tuesday
Jump to solution

 

EDIT:

My reply  below is about the Check Point Security Gateway capabilities and not Harmony Endpoint App Control capabilities.

I wonder if AppScan could help here.

-------------------------

Works for me

R82

No https inspection

New connection - first time Firefox is used - no caching

Firefox browser is blocked.

 

No-Firefox-rule.png

 

No-Firefox-log.png

the_rock
MVP Platinum
MVP Platinum
Tuesday
In response to Don_Paterson
Jump to solution

I actually tried same in my lab Don and it also blocked incognito window, so definitely works. But, I have a feeling @lluner was referring to endpoint policy, just my impression based on what was posted.

Best,
Andy
Don_Paterson
MVP Gold
MVP Gold
Tuesday
In response to the_rock
Jump to solution

Ah, ooops. I didn't spot that it in the Endpoint forum. 

Thanks for that.

0 Kudos
lluner
Advisor
Tuesday
In response to the_rock
Jump to solution

@the_rock 

The issue is that the blocking occurs at the harmony endpoint, not at the gateway checkpoint.

the_rock
MVP Platinum
MVP Platinum
Tuesday
In response to lluner
Jump to solution

Thats what I figured based on your screenshots. Did you open TAC case yet?

Best,
Andy
0 Kudos
lluner
Advisor
Tuesday
In response to the_rock
Jump to solution

@the_rock 

I'm first trying to see if anyone can configure these settings and provide an example.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Tuesday
In response to lluner
Jump to solution

Let me ask one of my colleagues, have a call with him in few mins, he is very good with endpoint. Will update you after.

Best,
Andy
0 Kudos
lluner
Advisor
Tuesday
In response to Don_Paterson
Jump to solution

@Don_Paterson 

I've already tried using AppScan, and it works. The problem is that you need to create a custom rule for multiple versions of Adobe, Firefox, or 7-Zip. Using AppScan becomes impractical.

the_rock
MVP Platinum
MVP Platinum
Tuesday
In response to lluner
Jump to solution

This is what my colleague showed me, not sure if you tried it or not.

Screenshot_1.png

 

Screenshot_2.png

Best,
Andy
0 Kudos
lluner
Advisor
Tuesday
In response to the_rock
Jump to solution

@the_rock 

I've tried everything to block Adobe and other applications, but nothing works.2025-12-02_16-24.png2025-12-02_16-23_1.png2025-12-02_16-23.png

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Tuesday
In response to lluner
Jump to solution

So regardless of which application you try, same result?

Best,
Andy
0 Kudos
lluner
Advisor
Wednesday
In response to the_rock
Jump to solution

@the_rock 

Yes, I've tried everything. I tried following the manual exactly, but it doesn't work. It only works when I use AppScan, import the file, and then block it. 

Configuring Application Permissions in the Application Control Policy

It only works by uploading the AppScan XML file. The "custom rules" option doesn't work at all.

Below are the application control logs using the AppScan XML file.

2025-12-03_08-12.png

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Wednesday
In response to lluner
Jump to solution

I would definitely open TAC case and reference this post.

Best,
Andy
0 Kudos
lluner
Advisor
Wednesday
In response to the_rock
Jump to solution

@the_rock 

That's what I'm going to do; I've already opened a ticket with a partner. I'll keep you updated here.

the_rock
MVP Platinum
MVP Platinum
Wednesday
In response to lluner
Jump to solution

I will check with my colleague again, but I can tell by the things you post and try about harmony endpoint, that you are very FAMILIAR with it, so I trust all you did. Please keep us posted.

Excellent work, as always.

Best,
Andy
0 Kudos
RS_Daniel
Advisor
Advisor
Wednesday
In response to lluner
Jump to solution

Hello,

We usually block apps using the field  Issued To, and that blocks all versiones of the app. You can check on a couple diferent versions of firefox to check if the cert matchs just to double check. In some tests, we saw that the "Application Name" field is actually the name of the process running on windows, so for adobe i think you can use "Acrobat.exe" on your rule. Attaching an example to block opera. HTH.

Preview file
16 KB
Preview file
12 KB
0 Kudos
the_rock
MVP Platinum
MVP Platinum
Wednesday
In response to RS_Daniel
Jump to solution

Hey Daniel,

Just for my own knowledge, what is the key field in custom rule for it to work? 

Best,
Andy
0 Kudos
lluner
Advisor
Wednesday
In response to RS_Daniel
Jump to solution

@RS_Daniel 

I've already tested all of that. I only see one thing: the endpoint version. What version are you using?

 

2025-12-03_11-11.png

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Wednesday
In response to lluner
Jump to solution

So no change regardless of what app is used?

Best,
Andy
0 Kudos
RS_Daniel
Advisor
Advisor
Wednesday
In response to lluner
Jump to solution

Hi,

Just tested with field Issued to and worked fine, attaching the test rule i used. Version E89.05.

Preview file
16 KB
the_rock
MVP Platinum
MVP Platinum
Wednesday
In response to RS_Daniel
Jump to solution

I wonder if that field has to be 100% correct, since I just tried Mozilla, without corporation, but no joy.

Best,
Andy
0 Kudos
lluner
Advisor
Wednesday
In response to RS_Daniel
Jump to solution

@RS_Daniel  

It worked. Thanks for the help.

the_rock
MVP Platinum
MVP Platinum
Wednesday
In response to lluner
Jump to solution

Excellent!

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events