Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Avigdor_Sharon
Contributor
Jump to solution

How to use the unified policy?

It was interesting to read about the unified policy. What is the best method to use it?

1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor

First of all, please note that while creating unified policies is supported through the R80 Security Management Server, only R80.10 and above Gateways will be able to support it. Attempting to install such policies on Pre-R80 GW's will fail during policy verification.

The next-generation security management allows to combine firewall, application control, data awareness in one "access control" rulebase. What you need to do is edit your policy, edit the access control layer, and check all the relevant blades.

Then, your rulebase will have new available columns: "Services & Applications", and "Data". In the "Services & Applications", where you normally select Services in your Firewall rulebase, you will also be able to select web applications, as well as mobile access applications. In the "Data" column you will be able to select individual data types, and the upload/download direction. Enforcement will then only apply to the granular selection of this rule.

The "Track" column will also include options to include more information regarding the connection, with regard to the selected applications and data:

Under_the_Hood_R80.png

In the world of Threat Prevention, such unification can happen with the use of the Profiles. Enable multiple blades on a profile - IPS, Anti-Bot, Threat Extraction, and place it in a rule related to a scope in your organization. While Pre-R80 Gateways must have separate rulebases for IPS and Anti Malware, the next versions of these Gateways will support unifying them.

View solution in original post

5 Replies
Tomer_Sole
Mentor
Mentor

First of all, please note that while creating unified policies is supported through the R80 Security Management Server, only R80.10 and above Gateways will be able to support it. Attempting to install such policies on Pre-R80 GW's will fail during policy verification.

The next-generation security management allows to combine firewall, application control, data awareness in one "access control" rulebase. What you need to do is edit your policy, edit the access control layer, and check all the relevant blades.

Then, your rulebase will have new available columns: "Services & Applications", and "Data". In the "Services & Applications", where you normally select Services in your Firewall rulebase, you will also be able to select web applications, as well as mobile access applications. In the "Data" column you will be able to select individual data types, and the upload/download direction. Enforcement will then only apply to the granular selection of this rule.

The "Track" column will also include options to include more information regarding the connection, with regard to the selected applications and data:

Under_the_Hood_R80.png

In the world of Threat Prevention, such unification can happen with the use of the Profiles. Enable multiple blades on a profile - IPS, Anti-Bot, Threat Extraction, and place it in a rule related to a scope in your organization. While Pre-R80 Gateways must have separate rulebases for IPS and Anti Malware, the next versions of these Gateways will support unifying them.

Sarm_Chanatip
Collaborator

Dear Tomer Sole,

Look at the rule No.4, if I change action to drop what will it happen?  

Will it allow me to get access to facebook but can not upload the document file or drop both of them?

Regards,

Sarm

0 Kudos
PhoneBoy
Admin
Admin

It should allow access to Facebook unless you're uploading documents.

0 Kudos
Sarm_Chanatip
Collaborator

Hi Dameon,

Really curious how software blade chain check from my question?

Let’s say from rule no.4, I would change from upload traffic documents file to ANY data types on data column and action to drop

This should drop any users from getting access to Facebook, right? And no need to check the next blade layer, is it correct?

As my understanding the first blade will be hit is firewall blade then app & urlf and the rest of software blades that’s enabled subsequently.

Appreciate if you clarify this to me Smiley Happy

Regards,

Sarm

0 Kudos
PhoneBoy
Admin
Admin

First of all, this example is for R80+ gateways, where all blades can be active in a specific policy layer.

And yes, they all apply simultaneously,

For a LOT more details, see:

https://community.checkpoint.com/docs/DOC-3073-r80x-security-gateway-architecture-content-inspection 

What you're describing, e.g. "The first place will be hit is firewall" is specific to R77.x and earlier where each blade has a separate policy that is consulted.

You cannot install the above policy on R77.x.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events