This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ihenock1011
Advisor
‎2024-08-13 06:13 AM

Allowing web access

Hi All,

I want to allow web access for a user. Will allowing HTTPS traffic on the firewall blade grant web access, or is it necessary to also allow specific websites or applications in the app/URL blade? 

Thanks

0 Kudos
10 Replies
the_rock
Legend
Legend
‎2024-08-13 06:30 AM

Sounds like you want to allow them access to any site?

0 Kudos
Ihenock1011
Advisor
‎2024-08-13 06:36 AM
In response to the_rock

@the_rock Yea but not social media web access only.

0 Kudos
the_rock
Legend
Legend
‎2024-08-13 06:41 AM
In response to Ihenock1011

See if my post below helps, except you can skip ssl inspection part, but thats sort of the point for https sites. Anyway, in your case, you need url filtering enabled,you can block social media category, BUT, it will look goofy when user sees it, as block page will NEVER come up without ssl inspection enabled. So, first rule block that category, make sure urlf is enabled on the layer, then 2nd rule allow access to the Internet, thats it.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-lab-guide/m-p/214429#M40929

0 Kudos
Ihenock1011
Advisor
‎2024-08-13 06:46 AM
In response to the_rock

Thanks, Andy. You've been very helpful always. That means for every access allowed/blocked on the firewall blade there must be equivalent rule on the app/url blade?

0 Kudos
the_rock
Legend
Legend
‎2024-08-13 06:57 AM
In response to Ihenock1011

Yes and no. The whole point of doing it blacklist way and NOT whitelist way in urlf layer is because IF you say had any any drop at bottom of that layer, ALL traffic would get dropped, as it has to be allowed on EVERY ordered layer. So say, just as a stupid example, if someone had 100 ordered layers and traffic was allowed on 99 of them and last, 100th layer had any any drop at the bottom, EVERYTHING would be dropped.

Makes sense?

Also, keep in mind that its better traffic processing for urlf blade when you do blacklist approach, because first network later, you allow traffic to the Internet, but since traffic has to traverse EVERY ordered layer, you block whoever you need to block from getting to whatever site in that 2nd layer you see in my guide.

Andy

the_rock
Legend
Legend
‎2024-08-13 07:15 AM
In response to the_rock

Does that help @Ihenock1011 , or would you feel more comfortable if we did remote, so I can show you my lab? Though my lab is pretty much same as what I put in the screenshots.

Andy

0 Kudos
Ihenock1011
Advisor
‎2024-08-13 07:21 AM
In response to the_rock

@the_rock It helps a lot, but I would love to see it demonstrated in a lab practical. We can do it tomorrow 14/2024 8:00AM-5:00PM. send me the link on private message thanks a lot.

0 Kudos
the_rock
Legend
Legend
‎2024-08-13 08:17 AM
In response to Ihenock1011

Just message me directly tomorrow.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-13 10:58 AM

Depends on if you want to allow access to all websites (in which case, yes), or only specific ones (e.g. not social media).
In the latter case, you'll need to use App Control/URL Filtering, possibly with HTTPS Inspection.

I'm actually planning to do a session on Web Filtering Best Practices here in the next couple of weeks.
Keep an eye on our event calendar 🙂

the_rock
Legend
Legend
‎2024-08-13 01:38 PM
In response to PhoneBoy

@PhoneBoy 

Just wanted to say this, as customer joked with me couple of weeks back, he said would it not be cool if Phoneboy "dumped" all his webinars into public link and then he sort of laughed about it , but honestly, I think that would be AWESOME. I know there are people on youtube who actually compile all their videos into public link/forum and if you did the same, Im sure everyone would be happy...just saying 🙂

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events