cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Is it possible to create OS based rules in 80.10 or 80.20 ?

Can you create OS based rules in 80.10 or 80.20 ? For example create an rule that deny internet access for all Windows 2003 and Windows XP machines ? I would prefer to be able to create an rule based on operation system instead of using IP og hostnames.

7 Replies

Re: Is it possible to create OS based rules in 80.10 or 80.20 ?

I don't think so. Check Point cannot detect host machine's Operation System with version. Even detect the OS, CP hasn't any feature of OS based Policy.

0 Kudos

Re: Is it possible to create OS based rules in 80.10 or 80.20 ?

If those are managed machines, and they are listed in particular groups on your AD (grouping by OS flavor, for example), you can use specific access roles and IA to build up your rules.

Re: Is it possible to create OS based rules in 80.10 or 80.20 ?

Yes it is managed machines. All in our AD.

What do you mean with IA ? As I told, I would prefer not to be necessary to join those maschines to an AD group, but instead create something that automatically block internet access for specific operation system. But I am open listening to what options I have for the best available solution on Checkpoint Smiley Happy

Re: Is it possible to create OS based rules in 80.10 or 80.20 ?

IA - Identity Awareness. 

Admin
Admin

Re: Is it possible to create OS based rules in 80.10 or 80.20 ?

You might be able to do an Automation Reaction on SmartEvent when IPS detects Windows XP (which is disabled by default as an IPS Protection).

But I'm with Valeri, I'd do this with Identity Awareness where you define a group of your "older" machines in Active Directory.

Re: Is it possible to create OS based rules in 80.10 or 80.20 ?

That is assuming the machines are part of a domain. And a domain that is actually conencted to the firewall.

I have seen mission critical obsolete hardware/software combinations that no dared to touch but they ar usually not part of a domain and never were. So it only works if you identify the OS somehow.

Time for P0f blade I guess ;-)

0 Kudos

Re: Is it possible to create OS based rules in 80.10 or 80.20 ?

If you have any NAC solution such as Portnox,Forscout,Ise they can identify the os and pach levels and perform an api call to IA Blade to give tham spacial tags.

What ways can you distiguish between those clients?