Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
D_TK
Advisor

Rewriting internet access policy

Our current rule base is pretty old, two ordered layers - access and appcontrol\url, and i'm going to rewrite utilizing just one combined layer.  A few questions

  • Our current representation of the internet in policy is a negated group of all internal networks.  I want to start using the "internet" object but seeing unexpected behavior.  My understanding of this object is any traffic that leaves on an "external" interface, that doesn't go through a VPN.  But..i'm seeing traffic that leaves on the external interface via a 2s2 tunnel being caught by this rule.  The tunnel is managed by our management server.  Is this considered correct behavior?

 

  • All relevant blades are enabled: https inspection, app control, url filtering.
    • Let's say for O365 - would y'all use the "Office365 Worldwide Services" updatable object, or the "Microsoft & Office365 Services" url category, or the many application objects?  What's really the difference between these 3 very different methods of allowing traffic?

Many thanks.

 

I just noticed that i show many more URL categories in dashboard than are listed on this URL:  https://usercenter.checkpoint.com/ucapps/urlcat/categories.  Does anyone know if there is an updated list somewhere, i need to forward on to a few folks.  thanks

0 Kudos
2 Replies
the_rock
Legend
Legend

If I were you, I would do this...but this is just my personal opnion, though I have not had any issues with this approach in the lab or any clients.

1) in ordered network layer, just have as many inline layers as needed, representing each interface (tied to a zone) and remove any rules with 0 hits, just to clean it up

2) have urlf + appc layer, with simply those blades enabled and yes, you can use Internet object as destination

Just make sure traffic is allowed on all ordered layers, ie you can have any any allow at the bottom of the last ordered layer, thats fine.

I attached doc I made while back with some screenshots. I know its related to https inspection, but you get an idea.

Andy

0 Kudos
PhoneBoy
Admin
Admin

Updatable Objects fundamentally use a programmatic list provided by the vendor.
Updatable Objects do not require advanced blades to use, but if the Updatable Object is wrong, you may miss something.

Microsoft & Office365 Services uses Application Control signatures similar to the individual app signatures, which are there for granularity sake.
This isn't tied to IP addresses, but it definitely requires App Control/URL Filtering, which means traffic must pass through Medium Path to be properly detected.
App Control is definitely required to restrict Office 365 to a specific tenant: https://support.checkpoint.com/results/sk/sk146993 

There are actually two types of categories: App Control categories (which use signatures) and URL Filtering categories (which are by URL).
They are shown together in the UI.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events