This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
net-harry
Collaborator
‎2020-11-18 05:10 AM

Outbound Internet access firewall feature recommendations

Hi,

We have multiple Check Point security gateways for different purposes in our infrastructure.

The firewalls that we currently use for outbound Internet access have limited performance and we want to optimize the features that we have enabled on them. Currently we have the following features enabled for different use cases:

  • URL filtering
  • Application control
  • Custom Applications/Sites
  • Domain objects
  • Updateable objects
  • Anti-Bot


We are considering HTTPS inspection, but for now we are only using Categorize HTTPS sites. At the moment we are not planning to use Threat Extraction, Content Awareness, Identity Awareness, Anti-virus/Anti-spam or Data Loss Prevention.

Are there any other features (e.g. IPS features to prevent DNS and ICMP tunneling) that you would recommend that we implement? We would prefer to not enable the full IPS features since this could have a high CPU impact and many signatures would not be relevant for outbound Internet access.

I am aware that a best practices document has been shared in the following thread, but it does not contain many technical details.

https://community.checkpoint.com/t5/General-Topics/White-Paper-Internet-Web-Access-Security-Best-Pra...


We are currently using R80.20 take 183, but are planning to upgrade to R80.40.

Thanks for your help!

Best regards,

Harry

0 Kudos
4 Replies
JoSec
Collaborator
‎2020-11-18 05:35 AM

I would talk to your Checkpoint Account SE and they can utilize a tool from Checkpoint to enter the number of users/hosts and what blades you want to enable and produce an output on the impact. Regarding Threat Prevention you can review the Threat Prevention guide and review the profiles provided by Checkpoint, one of which is Optimized, and see if that meets you needs. Also, I'm sure you know, to get a baseline on performance before you enable any blades and after they are enabled, As an alternative since it is only outbound access, you could create to site to site VPN tunnels and connect to a CloudGuard Connect instance which would offload the Threat prevention blade processing  but currently CG is quite  limited since you cannot create Threat Prevention exceptions or utilize updateable objects and to note, I have not done this but have been reviewing the features. Create an account at portal.checkpoint.com to demo CG or just see the features but definitely contact your account SE for questions.

net-harry
Collaborator
‎2020-11-21 03:41 AM
In response to JoSec

Thank you @JoSec for the suggestion. We will try to see if the sales engineer can help us with tool and performance impact.

It would however also be interesting to get feedback from the community about specific IPS signatures or other features that are useful for controlling outbound Internet access.

Best regards,

Harry

0 Kudos
PhoneBoy
Admin
Admin
‎2020-11-21 06:41 PM

You’re already taken the major performance impact (over firewall only) by enabling App Control/URL Filtering and Anti-Bot, which use the same content inspection engines that IPS uses.
Enabling IPS with an Optimized profile won’t impact your performance too much (maybe a few percentage points).
I second the recommendation to get with your local Check Point SE.

net-harry
Collaborator
‎2020-11-22 12:29 AM
In response to PhoneBoy

Thanks @PhoneBoy for the information.

We will try to enable IPS using the Optimized profile and check with our local Check Point SE.

Thanks for your help!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events