This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chun_Cheng
Explorer
‎2018-05-15 06:16 PM

Application Control in R77

I understand in R77, traffic will hit firewall rule first and after that application control rules applies.

If i would like a group of ip addresses hit firewall rule then hit application control rules(allow these ip address to access some domain objects, for instance *.google.com)

for the rest of the internal ip addressed, only need to hit firewall rule.

Is it possible and How do i set it up?

Thanks in advance

Cathy

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2018-05-15 09:57 PM

The source for all the rules you create should be in terms of the hosts you wish to subject to Application Control.

In R77.x, the implicit (last) rule is an Allow rule (not a Drop rule like in the Firewall policy).

Connections accepted by this implicit accept rule should remain in the SecureXL path.

At least that's how it appears to work per the following SK: Accelerating traffic with the Security Acceleration Module (SAM) while also using non-accelerated bl... 

0 Kudos
Chun_Cheng
Explorer
‎2018-05-15 10:51 PM
In response to PhoneBoy

Thanks Dameon.  I had a look a the SK, "Configure a group of networks under the policy rule to be scanned by the Application Control and URL Filtering Blade. "  how do I set up the firewall rule to configure a group of ip addresse to be scanned by the application control and url Filtering?". Currently, I have 60  firewall rules, the implicit firewall rule is deny any any.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-05-15 11:05 PM
In response to Chun_Cheng

Basically what the SK is saying is, for the pictured example:

  • Networks/Hosts mentioned in the group Groups_Networks_XYZ will be subject to Application Control and will flow through the Medium Path
  • Anything NOT listed in Groups_Networks_XYZ will be matched by the explicit rule, and thus remain in the SecureXL path

The main thing is to make sure no explicit Application Control rules match the traffic you want to remain in the SecureXL path.

In other words, make sure your Application Control rulebase makes no mention of the hosts who's traffic you want to remain in the SecureXL path.

If you don't want specific hosts to reach the Internet, they should be blocked from doing so in the Firewall rulebase.

PhoneBoy
Admin
Admin
‎2018-05-15 11:13 PM
In response to Chun_Cheng

Create a group that includes the host/networks you wish to subject to Application Control.

Ensure that is listed as the Source for all of the Application Control rules you wish to create.

This will ensure that only the hosts you explicitly list will be subject to Application Control (and thus be in Medium Path)

All other sources will not be subject to Application Control and should remain in the SecureXL path, if eligible. 

Note this assumes that the relevant hosts/networks are permitted to access the Internet via the Firewall rulebase, which must accept the traffic before Application Control even sees it.

Chun_Cheng
Explorer
‎2018-05-16 10:53 PM
In response to PhoneBoy

Hi Dameon,

Thanks for your help. the application control works perfectly.

Just one more question re the regular expression

if I would like to allow http and https traffic to example.com and all subdomains of example.com, can I use wildcard

*.example.com in the application control policy?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-05-17 04:33 PM
In response to Chun_Cheng

For that to work correctly, you will probably need to have HTTPS Inspection enabled.

You could implement a version of this: Regex for TLD Blocks but instead use the full domain instead of the TLD.

It's possible that Categorize HTTPS Sites may work depending on the site with a custom signature.

See: Signature Tool for custom Application Control and URL Filtering applications 

0 Kudos
Chun_Cheng
Explorer
‎2018-05-17 10:14 PM
In response to PhoneBoy

thanks Dameon. my concern is if I enable https inspection, will it impact the checkpoint performance?

if the https traffic is non-browser traffic. will the https inspection still work?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-05-18 08:27 AM
In response to Chun_Cheng

HTTPS Inspection has a performance impact for sure.

It may also impact non-browser HTTPS Traffic, which you can create exceptions for and/or enable Probe Bypass for.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top