This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NeilDavey
Collaborator
‎2020-01-08 03:49 AM

Combined Blades (Firewall and Applications & URL Filtering)

I have just combined the Firewall and Applications & URL Filtering Blades into one policy and I have a question about a rule and where I should place it.

With my old split policies, I had a "Recommended Categories to Block" on the Application policy as the last rule before my "Default Allow All" Rule and I am wondering the best place on where to add this for my combined rule base now.

I have decided at the moment to place it in my "Clean up rules" section and was seeing if anyone had any thoughts on this?

Thanks

Preview file
18 KB
Preview file
33 KB
0 Kudos
10 Replies
_Val_
Admin
Admin
‎2020-01-08 04:00 AM

You missed completely the rule 12 from the old policy. New policy will not allow any application connectivity to internet. 

 

It would be better to create an inline layer for internet access with copy/paste of your older APC policy as sub-rules there

0 Kudos
NeilDavey
Collaborator
‎2020-01-08 04:57 AM
In response to _Val_

Thanks Val.

Reason I didn't include the rule 12 is that on my combined rule, general internet traffic is allowed through rule 3 (ironport). I have tested internet on this policy and I can still browse the internet etc with no issues.

Also, I wanted a default drop rule for any traffic. If traffic is required, I would add a rule on my rule base.
0 Kudos
mdjmcnally
Advisor
‎2020-01-08 05:22 AM
In response to NeilDavey

At the moment then Rule 3 would allow access through to the Internet without filtering.  Is it actually blocking access at Rule 4 at all?

0 Kudos
_Val_
Admin
Admin
‎2020-01-08 05:26 AM
In response to mdjmcnally

I am here with @mdjmcnally , rule 3 basically shadows 4. I would like to repeat my suggestion of creating a sub-layer which will filter out unwanted applications and allow the rest.

The way your new rulebase is build now, it is not the case.

0 Kudos
NeilDavey
Collaborator
‎2020-01-08 05:29 AM
In response to mdjmcnally

Internet seems ok.

FYI - Ironport is a proxy appliance which is why its there.

Example - my test server using IronPort can go to www.nfl.com through rule 3. If I take my proxy off and try again, then I get dropped on rule 6 "DROP RULE". If I then add "Sports" into rule 4, and do these same tests again, then I can still get to www.nfl.com using my proxy server on rule 3 and if I take my proxy off I then get dropped on rule 4.

To me, this process works correctly. rule 4 is at the bottom of my rule base so that my Ironport proxy does the first level of filtering with rule 4 as a final catch for high level suspect traffic.
0 Kudos
mdjmcnally
Advisor
‎2020-01-08 05:58 AM
In response to NeilDavey

So I understand then that the source on the IronPort rule 3 is an actual host, with it being blurred out then looks the same as the destination, hence our confusion as looks like is an Any, Any, Any rule

 

So Traffic flow is

 

If using proxy then then Source at the Firewall is seen as the IronPort Proxy and matches Rule 3 and relies on the IronPort/Proxy to do the filtering.  So any traffic from the IronPort is seen as OK by the Firewall and not filtered.

If not using the Proxy then won't match Rule 3 so moves through to Rule 4.   If matches that then the user gets a Block Page and you get a seperate log entry specific so can see against specific rule.

If doesn't match the Rule 4 then moves through to Rule 6 where gets dropped but the User gets no Block Page and obviously the log is jsut showing as Drop Rule so not as easy to distinguish in the logs.

 

Rule 4 won't block anything in this case that wouldn't get dropped at Rule 6 anyway but you will see logged seperately to the generic block all and the user a block page.

0 Kudos
NeilDavey
Collaborator
‎2020-01-08 06:11 AM
In response to mdjmcnally

Yes what you have written is correct. Apologies, on the example rule base. Its not my actual rule base, I just created it as a similar ish policy to a proper one that I use.

Rule 4 is only really added a best practice from Check Point to add these categories which is why I have added it.

I think from how I have done this my policy structure will still work and I haven't given any access that shouldn't be required. If there is no rule for a server/PC in the rule base, then it would fall through to rule 6 DROP RULE.

I am making this combined rule base on my Firewall estate which is why I asked this question now. When I do my main Firewall, I have around 130 rules so if I can understand this process at the moment, I should be able to do this same change and not fall into any issues.
0 Kudos
mdjmcnally
Advisor
‎2020-01-08 04:54 AM

If you want to ensure that drop access to those then want it high on the rulebase as otherwise other rules potentially can allow access to them.   These are categories that you don't want access to under any circumstances.

You can then use other rules or potentially an inline layer to control what can access.

inline layer is useful as can then delegate admin of the inline layer so that if use a rule that permits say a dept access to the Internet then call an inline layer, you can delegate admin of that layer for the dept to the dept head.   Also means that they can control what there dept has.

 

 

 

0 Kudos
NeilDavey
Collaborator
‎2020-01-08 04:59 AM
In response to mdjmcnally

Thanks for this.

I am still a bit confused with the inline layers at the moment 🙂 and as its only me who edits the Firewall, I wanted to try and keep it simple at the moment. I will think about moving this rule higher up the rule base then.
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-01-08 06:18 AM
In response to NeilDavey

I would suggest hit counts for changing rule order...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events