Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alejandro_Lansa
Participant
Jump to solution

Replace Proxy with Checkpoint Application Control and URL Filtering

I would like to replace our current Proxy with the Application Control and URL Filtering functionalities from Checkpoint Firewall. I have installed a Security gateway to Test but I experience some problems.

Requirements:

  • Non Transparent Proxy
  • Integration with Identity Awareness
  • Each Group of users have access to a Group of URL Categories

Configuration

  • Checkpoint R80.10 With the following Blades: Firewall, Application Control, URL Filtering, Anti-Bot, Anti-Virus, Identity Awareness and Content Awareness
  • The Security Gateway is configured as HTTP/HTTPS Proxy – Port 8080
  • There is a Rule to allow access from clients network to the Security gateway – Port 8080
  • Identity Awareness is configured with Identity collector and works fine.
  • A rule allows access from the clients network to a Group of URLs “Trusted Sites”
  • Some rules allow access from user access roles to some groups of Categories
  • In the Implied Policy, the option “Accept outgoing packets originating from Gateway” is configured as “Before last”

Behavior:

  • All Clients have access to all URLs.
  • In the Log I can see 2 connections: One from the client to the Security Gateway, port 8080, allowed and the other one from the Security Gateway to Internet allowed by Implicit Rule 0. In the second rule there is neither information about the client IP nor the client user.
  • When I disable the implicit rule that allow outgoing packets originating from the Gateway, the clients cannot access any URL.

There is probably something wrong in my design. Can the security gateway work as a Proxy and at the same time filter what URL can use a group of Clients?

0 Kudos
1 Solution

Accepted Solutions
4 Replies
Vladimir
Champion
Champion
Alejandro_Lansa
Participant

It works!
The URL Filtering inline Policy was not in the correct place.
My configuration had 2 rules for Proxy:
1.- From clients - > To Proxy, Port 8080 -> accept
2.- From clients -> to internet, Ports http+https -> Inline Layer Web-Gateway (URL filtering rules)

And the correct configuration is:
1.- From clients -> To Proxy, Port 8080 -> Inline Layer Web-Gateway (URL filtering rules)

Thanks!

Wenhao_Li
Explorer
HI Lansa, Can you please provide more detailed configuration. I've tried to mimic your rules. But, it is still not working. Thanks in advance !!
0 Kudos
Wenhao_Li
Explorer
Is the proxy and url filtering running on same security gateway ? Or, it must be different ?
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events