This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-06-22 03:14 PM

Separate layers of Security Rules vs. APPC + URLF

Hello, world.

One question, when you activate the APPC + URLF modules in your Firewall Cluster, and you work these 2 blades, in a separate layer from the Firewall layer, what is the logic regarding the rules?

The security layer and the APPC+URLF layer have implicit rules that block traffic.
Is this "order" to be preserved? Or should the implicit rule of one of the layers be "varied"? ????

If I want to give permissions to an IP 192.168.1.5 to consume only certain "applications" such as "LinkedIN, Youtube, Netflix"?
This IP must have created, both a rule in the Firewall layer, and 1 rule in the APPC+URLF layer, is it correct????

The implicit rule, of the APPC+URLF layer, for good practice, as it should be after its activation, as ALLOW or DROP?

Thanks for your comments.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-06-22 03:43 PM

When using ordered layers, an Accept rule has to be matched in every layer.
That means, yes, you will have to create a rule in both layers in your case.

Unless you're managing pre-R8x gateways, there's no real benefit to having a separate Firewall and App Control/URLF layer.
In pre-R8x gateways, the cleanup rule on the App Control ruleset was Accept.
It should only be Drop if you're certain you have rules in both layers to allow all relevant traffic.

0 Kudos
Matlu
Advisor
‎2023-06-22 04:28 PM
In response to PhoneBoy

Sorry, but this comment "It should only be Drop if you're certain you have rules in both layers to allow all relevant traffic", I can't interpret it well.

My environment is Clusters in R81.10 version.
The previous administrator inherited me the solution, with "separate layers".

Maybe with an example it could be clearer.
If I have an IP 192.168.100.5 and I want to give it to consume, only "LinkedIN and Youtube", I will use "LinkedIN and Youtube".

I must have a rule, in the security layer, in this sense
SRC: 192.168.100.5
DST: ANY
SERVICE: ANY

And apart a rule in APPC/URLF, almost in the same sense, except that here I will be able to specify the applications that I want.
Is this the correct way?

In this case, the implicit rule of the APPC/URLF layer, how should it go, as ALLOW or DROP?

Thank you. 🙂

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-23 07:53 AM
In response to Matlu

Most likely the previous administrator upgraded from an earlier release where you HAD to have a separate Firewall and App Control/URLF policy layer (i.e. R77.x gateways were being managed at some point).
While you can maintain this: policy structure if you prefer, it would be better (and simpler) to combine these policies in the long run.

In any case, you are correct: you need a rule similar to what you describe in both policies.
What you use for the default cleanup rule in the App Control policy will depend on whether you are still managing R77.x gateways or not.
The default cleanup rule MUST be Allow for App Control/URLF layers if you are managing R77.x gateways.
Otherwise, it can be Drop, but you should be fairly certain you have explicit rules defined for all traffic you wish to permit in the App Control layer.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events