cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Rule base checking if Application control and URL filtering blade is enable?

Hello Everyone,

I have one question. Suppose we have  Application control and URL filtering blade is enable in checkpoint firewall.

So for any outbound access,whether we have to allow access in firewall rule base and Application rule base?

We know that in Application rule base we have any to any access allowed by default.But we have edited that rule and made it any to any ->drop. 

So in this case please let us know whether we have to allow access on both blade (Firewall and URL filtering) for outbound access.

Thanks

Ratnesh Singh

0 Kudos
4 Replies

Re: Rule base checking if Application control and URL filtering blade is enable?

Hi Ratnesh,

You need to allow access in both blades. 

Blade matching will be done from Left to Right and Rule base match will be done from Top to Bottom. So first it will check access rule and if it is allowed here then it will go to next blade. Hope this clarifies your query.

0 Kudos

Re: Rule base checking if Application control and URL filtering blade is enable?

Thanks you for the reply.

We are using R80.10 MGMT server and I did not get 1st line i.e Blade matching will be done from left to right?

Thanks

0 Kudos

Re:  Rule base checking if Application control and URL filtering blade is enable?

Hi Ratnesh,

Got it. If you have R80.10 mgmt. then there are 2 approach. Ordered Layer and Inline Layer.

If you are going for ordered layer then it is tom to bottom approach for Layers and rule base as well. Here you need to allow traffic in access layer and then it will go to Application control or URL filtering. 

If you are going for Inline Layer then define parent rule first and inside that rule give specific applications.

For more clarification, you can see below video.

https://community.checkpoint.com/videos/5487

0 Kudos
Highlighted
Admin
Admin

Re: Rule base checking if Application control and URL filtering blade is enable?

Actually rulebase matching is a little different in R80.x:

Unified Policy Column-based Rule Matching

Still, when you have multiple ordered policy layers, the connection must match an Accept rule in each layer.

Also keep in mind that each layer can have a different implicit cleanup rule (either allow or block).

0 Kudos