Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Contributor

Outbound Internet access firewall feature recommendations

Hi,

We have multiple Check Point security gateways for different purposes in our infrastructure.

The firewalls that we currently use for outbound Internet access have limited performance and we want to optimize the features that we have enabled on them. Currently we have the following features enabled for different use cases:

  • URL filtering
  • Application control
  • Custom Applications/Sites
  • Domain objects
  • Updateable objects
  • Anti-Bot


We are considering HTTPS inspection, but for now we are only using Categorize HTTPS sites. At the moment we are not planning to use Threat Extraction, Content Awareness, Identity Awareness, Anti-virus/Anti-spam or Data Loss Prevention.

Are there any other features (e.g. IPS features to prevent DNS and ICMP tunneling) that you would recommend that we implement? We would prefer to not enable the full IPS features since this could have a high CPU impact and many signatures would not be relevant for outbound Internet access.

I am aware that a best practices document has been shared in the following thread, but it does not contain many technical details.

https://community.checkpoint.com/t5/General-Topics/White-Paper-Internet-Web-Access-Security-Best-Pra...


We are currently using R80.20 take 183, but are planning to upgrade to R80.40.

Thanks for your help!

Best regards,

Harry

0 Kudos
Reply
4 Replies
Contributor

I would talk to your Checkpoint Account SE and they can utilize a tool from Checkpoint to enter the number of users/hosts and what blades you want to enable and produce an output on the impact. Regarding Threat Prevention you can review the Threat Prevention guide and review the profiles provided by Checkpoint, one of which is Optimized, and see if that meets you needs. Also, I'm sure you know, to get a baseline on performance before you enable any blades and after they are enabled, As an alternative since it is only outbound access, you could create to site to site VPN tunnels and connect to a CloudGuard Connect instance which would offload the Threat prevention blade processing  but currently CG is quite  limited since you cannot create Threat Prevention exceptions or utilize updateable objects and to note, I have not done this but have been reviewing the features. Create an account at portal.checkpoint.com to demo CG or just see the features but definitely contact your account SE for questions.

Contributor

Thank you @Joe_O_Neill for the suggestion. We will try to see if the sales engineer can help us with tool and performance impact.

It would however also be interesting to get feedback from the community about specific IPS signatures or other features that are useful for controlling outbound Internet access.

Best regards,

Harry

0 Kudos
Reply
Admin
Admin

You’re already taken the major performance impact (over firewall only) by enabling App Control/URL Filtering and Anti-Bot, which use the same content inspection engines that IPS uses.
Enabling IPS with an Optimized profile won’t impact your performance too much (maybe a few percentage points).
I second the recommendation to get with your local Check Point SE.

Contributor

Thanks @PhoneBoy for the information.

We will try to enable IPS using the Optimized profile and check with our local Check Point SE.

Thanks for your help!

0 Kudos
Reply