This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Igor_Simovski
Participant
‎2018-12-14 05:35 AM

Application and URL filtering unknown traffic issue

Hello all,

I have a question regarding Application and URL filtering blade.

After we define specific rules for the traffic/sites that we know must go to the internet and place the rule for blocking known malicious applications per categories, unknown traffic is left per ports 80 and 443 (we dont have an info on apps inside that initiate connection), so it comes down to identify if traffic is legitimate. And if we somehow manage to do it and as a end result we have a list of internal hosts that communicate to outside/internet IPs with legitimate traffic, would it be the right approach to create rule for example:

Name: Allow HTTP/HTTPS out.

Source: Create Group and place hosts we have identified,

Destination: Internet,

Services: tcp https, tcp http,

Application/Sites: Any Recognized (block rule with blacklist categories will be placed above this one)

Action: Allow    

And after all said and done at the end rule that will be any to internet drop?

Give me your advice guys?

Many thanks,

3 Replies
Vladimir
Champion
Champion
‎2018-12-14 06:50 AM

I do not believe that "Any Recognized" category is present in R80.10. Perhaps Check Point brought it back in R80.20, but I cannot be certain.

In the absence of this object, your future upgrade may require removal of the "Any Recognized" from this rule.

So the long term strategy will be blocking everything going to known risky categories and allowing the rest.

PhoneBoy
Admin
Admin
‎2018-12-14 11:04 AM

Assuming we're talking R80.x, the service to use is "Any."

To get the application to log in this case, make sure the track for the rule is set to Detailed or Extended.

Of course, this will also allow things that do not have an explicit signature defined as well.

In any case, it should presumably match something generic like "Web Browsing" unless it's not really web-based traffic.

Maarten_Sjouw
Champion
Champion
‎2018-12-15 10:53 PM

Have a look at this entry where I posted a base template for APCL/URLF.

Regards, Maarten

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events