This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
D_TK
Advisor
Friday

Rewriting internet access policy

Our current rule base is pretty old, two ordered layers - access and appcontrol\url, and i'm going to rewrite utilizing just one combined layer.  A few questions

  • Our current representation of the internet in policy is a negated group of all internal networks.  I want to start using the "internet" object but seeing unexpected behavior.  My understanding of this object is any traffic that leaves on an "external" interface, that doesn't go through a VPN.  But..i'm seeing traffic that leaves on the external interface via a 2s2 tunnel being caught by this rule.  The tunnel is managed by our management server.  Is this considered correct behavior?

 

  • All relevant blades are enabled: https inspection, app control, url filtering.
    • Let's say for O365 - would y'all use the "Office365 Worldwide Services" updatable object, or the "Microsoft & Office365 Services" url category, or the many application objects?  What's really the difference between these 3 very different methods of allowing traffic?

Many thanks.

 

I just noticed that i show many more URL categories in dashboard than are listed on this URL:  https://usercenter.checkpoint.com/ucapps/urlcat/categories.  Does anyone know if there is an updated list somewhere, i need to forward on to a few folks.  thanks

0 Kudos
2 Replies
the_rock
Legend
Legend
Friday

If I were you, I would do this...but this is just my personal opnion, though I have not had any issues with this approach in the lab or any clients.

1) in ordered network layer, just have as many inline layers as needed, representing each interface (tied to a zone) and remove any rules with 0 hits, just to clean it up

2) have urlf + appc layer, with simply those blades enabled and yes, you can use Internet object as destination

Just make sure traffic is allowed on all ordered layers, ie you can have any any allow at the bottom of the last ordered layer, thats fine.

I attached doc I made while back with some screenshots. I know its related to https inspection, but you get an idea.

Andy

Preview file
1843 KB
0 Kudos
PhoneBoy
Admin
Admin
Friday

Updatable Objects fundamentally use a programmatic list provided by the vendor.
Updatable Objects do not require advanced blades to use, but if the Updatable Object is wrong, you may miss something.

Microsoft & Office365 Services uses Application Control signatures similar to the individual app signatures, which are there for granularity sake.
This isn't tied to IP addresses, but it definitely requires App Control/URL Filtering, which means traffic must pass through Medium Path to be properly detected.
App Control is definitely required to restrict Office 365 to a specific tenant: https://support.checkpoint.com/results/sk/sk146993 

There are actually two types of categories: App Control categories (which use signatures) and URL Filtering categories (which are by URL).
They are shown together in the UI.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events