Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Igor_Simovski
Participant

Application and URL filtering unknown traffic issue

Hello all,

I have a question regarding Application and URL filtering blade.

After we define specific rules for the traffic/sites that we know must go to the internet and place the rule for blocking known malicious applications per categories, unknown traffic is left per ports 80 and 443 (we dont have an info on apps inside that initiate connection), so it comes down to identify if traffic is legitimate. And if we somehow manage to do it and as a end result we have a list of internal hosts that communicate to outside/internet IPs with legitimate traffic, would it be the right approach to create rule for example:

Name: Allow HTTP/HTTPS out.

Source: Create Group and place hosts we have identified,

Destination: Internet,

Services: tcp https, tcp http,

Application/Sites: Any Recognized (block rule with blacklist categories will be placed above this one)

Action: Allow    

And after all said and done at the end rule that will be any to internet drop?

Give me your advice guys?

Many thanks,

3 Replies
Vladimir
Champion
Champion

I do not believe that "Any Recognized" category is present in R80.10. Perhaps Check Point brought it back in R80.20, but I cannot be certain.

In the absence of this object, your future upgrade may require removal of the "Any Recognized" from this rule.

So the long term strategy will be blocking everything going to known risky categories and allowing the rest.

PhoneBoy
Admin
Admin

Assuming we're talking R80.x, the service to use is "Any."

To get the application to log in this case, make sure the track for the rule is set to Detailed or Extended.

Of course, this will also allow things that do not have an explicit signature defined as well.

In any case, it should presumably match something generic like "Web Browsing" unless it's not really web-based traffic.

Maarten_Sjouw
Champion
Champion

Have a look at this entry where I posted a base template for APCL/URLF.

Regards, Maarten

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events