Allowing web access

Ihenock1011

Hi All,

I want to allow web access for a user. Will allowing HTTPS traffic on the firewall blade grant web access, or is it necessary to also allow specific websites or applications in the app/URL blade?

Thanks

the_rock

Sounds like you want to allow them access to any site?

Ihenock1011

@the_rock Yea but not social media web access only.

the_rock

See if my post below helps, except you can skip ssl inspection part, but thats sort of the point for https sites. Anyway, in your case, you need url filtering enabled,you can block social media category, BUT, it will look goofy when user sees it, as block page will NEVER come up without ssl inspection enabled. So, first rule block that category, make sure urlf is enabled on the layer, then 2nd rule allow access to the Internet, thats it.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-lab-guide/m-p/214429#M40929

Ihenock1011

Thanks, Andy. You've been very helpful always. That means for every access allowed/blocked on the firewall blade there must be equivalent rule on the app/url blade?

the_rock

Yes and no. The whole point of doing it blacklist way and NOT whitelist way in urlf layer is because IF you say had any any drop at bottom of that layer, ALL traffic would get dropped, as it has to be allowed on EVERY ordered layer. So say, just as a stupid example, if someone had 100 ordered layers and traffic was allowed on 99 of them and last, 100th layer had any any drop at the bottom, EVERYTHING would be dropped.

Makes sense?

Also, keep in mind that its better traffic processing for urlf blade when you do blacklist approach, because first network later, you allow traffic to the Internet, but since traffic has to traverse EVERY ordered layer, you block whoever you need to block from getting to whatever site in that 2nd layer you see in my guide.

Andy

the_rock

Does that help @Ihenock1011 , or would you feel more comfortable if we did remote, so I can show you my lab? Though my lab is pretty much same as what I put in the screenshots.

Andy

Ihenock1011

@the_rock It helps a lot, but I would love to see it demonstrated in a lab practical. We can do it tomorrow 14/2024 8:00AM-5:00PM. send me the link on private message thanks a lot.

the_rock

Just message me directly tomorrow.

Andy

PhoneBoy

Depends on if you want to allow access to all websites (in which case, yes), or only specific ones (e.g. not social media).
In the latter case, you'll need to use App Control/URL Filtering, possibly with HTTPS Inspection.

I'm actually planning to do a session on Web Filtering Best Practices here in the next couple of weeks.
Keep an eye on our event calendar 🙂

the_rock

@PhoneBoy

Just wanted to say this, as customer joked with me couple of weeks back, he said would it not be cool if Phoneboy "dumped" all his webinars into public link and then he sort of laughed about it , but honestly, I think that would be AWESOME. I know there are people on youtube who actually compile all their videos into public link/forum and if you did the same, Im sure everyone would be happy...just saying 🙂

Andy

Are you a member of CheckMates?

Allowing web access