Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ihenock1011
Advisor

Allowing web access

Hi All,

I want to allow web access for a user. Will allowing HTTPS traffic on the firewall blade grant web access, or is it necessary to also allow specific websites or applications in the app/URL blade? 

Thanks

0 Kudos
10 Replies
the_rock
Legend
Legend

Sounds like you want to allow them access to any site?

0 Kudos
Ihenock1011
Advisor

@the_rock Yea but not social media web access only.

0 Kudos
the_rock
Legend
Legend

See if my post below helps, except you can skip ssl inspection part, but thats sort of the point for https sites. Anyway, in your case, you need url filtering enabled,you can block social media category, BUT, it will look goofy when user sees it, as block page will NEVER come up without ssl inspection enabled. So, first rule block that category, make sure urlf is enabled on the layer, then 2nd rule allow access to the Internet, thats it.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-lab-guide/m-p/214429#M40929

0 Kudos
Ihenock1011
Advisor

Thanks, Andy. You've been very helpful always. That means for every access allowed/blocked on the firewall blade there must be equivalent rule on the app/url blade?

0 Kudos
the_rock
Legend
Legend

Yes and no. The whole point of doing it blacklist way and NOT whitelist way in urlf layer is because IF you say had any any drop at bottom of that layer, ALL traffic would get dropped, as it has to be allowed on EVERY ordered layer. So say, just as a stupid example, if someone had 100 ordered layers and traffic was allowed on 99 of them and last, 100th layer had any any drop at the bottom, EVERYTHING would be dropped.

Makes sense?

Also, keep in mind that its better traffic processing for urlf blade when you do blacklist approach, because first network later, you allow traffic to the Internet, but since traffic has to traverse EVERY ordered layer, you block whoever you need to block from getting to whatever site in that 2nd layer you see in my guide.

Andy

the_rock
Legend
Legend

Does that help @Ihenock1011 , or would you feel more comfortable if we did remote, so I can show you my lab? Though my lab is pretty much same as what I put in the screenshots.

Andy

0 Kudos
Ihenock1011
Advisor

@the_rock It helps a lot, but I would love to see it demonstrated in a lab practical. We can do it tomorrow 14/2024 8:00AM-5:00PM. send me the link on private message thanks a lot.

0 Kudos
the_rock
Legend
Legend

Just message me directly tomorrow.

Andy

0 Kudos
PhoneBoy
Admin
Admin

Depends on if you want to allow access to all websites (in which case, yes), or only specific ones (e.g. not social media).
In the latter case, you'll need to use App Control/URL Filtering, possibly with HTTPS Inspection.

I'm actually planning to do a session on Web Filtering Best Practices here in the next couple of weeks.
Keep an eye on our event calendar 🙂

the_rock
Legend
Legend

@PhoneBoy 

Just wanted to say this, as customer joked with me couple of weeks back, he said would it not be cool if Phoneboy "dumped" all his webinars into public link and then he sort of laughed about it , but honestly, I think that would be AWESOME. I know there are people on youtube who actually compile all their videos into public link/forum and if you did the same, Im sure everyone would be happy...just saying 🙂

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events