Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Copper

NGFW Licensing in Locally Managed SMB - URL Filtering? No?

Jump to solution

Alright, we have NGFW Licensing now on the new 1500 series...

What I know from maintrain (and this chart) is that NGFW contains like - [FW, IPS, APPI, IPSec VPN, Content Awareness]
But in Locally Managed SMB... the blade settings is that we either have APPI&URLF both enabled, or only URLF enabled. So.. I'm not sure of the exact behavior we will have here.

Centrally managed is easy to understand because we can select blades individually 😛

APPI_URL.PNGSecurity_DB.PNG

Blade_Control.PNG

 

 

 

 

 

 

 

 

So...if we want to use APPI, we need both APPI&URL enabled, but simply URLF wont work?
I've been looking up documents, and engaging with CP reps but.. don't have a precise answer yet.
Though the 1500 datasheet shows the same as maintrain.. URLF not included.

Is any one familiar about it?

1 Solution

Accepted Solutions
Highlighted
Admin
Admin
The same part of the software supplies both functions, thus why they are enabled/disabled as one.
When you do not have a URLF license (i.e. because you have an NGFW license), then you cannot use functions that rely on URLF.
Specifically, that means you cannot use URL Filtering categories in your rulebase.
You can still use App Control categories or custom URLs in application definitions, as that will be covered by App Control (covered by NGFW).

Note this is exactly how it works on non-SMB appliances as well.

View solution in original post

0 Kudos
6 Replies
Highlighted
Employee+
Employee+
I am a bit confused from your question.
the license allows you to have both and then you can fine tune it and choose just URLF. can you please explain what exactly you need?
0 Kudos
Highlighted
Copper

Hi Shlomi,

From datasheets describing NGFW, we see it doesn't include URLF. (and I know I maybe asking something obvious...)
In locally managed mode, I assume having APPI On means URLF is also enabled... where we can't just have ONLY APPI enabled.

So does this mean that when we have NGFW license and want to use APPI, we will have both APPI/URLF enabled though URLF will not be licensed? I'm concerned as in Licensing, and system resource perspectives...

Highlighted
Admin
Admin
The same part of the software supplies both functions, thus why they are enabled/disabled as one.
When you do not have a URLF license (i.e. because you have an NGFW license), then you cannot use functions that rely on URLF.
Specifically, that means you cannot use URL Filtering categories in your rulebase.
You can still use App Control categories or custom URLs in application definitions, as that will be covered by App Control (covered by NGFW).

Note this is exactly how it works on non-SMB appliances as well.

View solution in original post

0 Kudos
Highlighted
Copper

Hi PhoneBoy,

Thanks, your explanation made most of my concerns clear 🙂

Btw, from your comments I was wondering how can I distinguish between URLF categories and APPI categories tags?
(For e.g in SmartConsole, application categories shows all category tags...)

Or maybe you mean by only applications that these categories are tagged to are controllable by the policy?

0 Kudos
Highlighted
Admin
Admin
In a locally managed SMB appliance, there's no real easy way to see which of the categories are App Control, URL Filtering, or both.
Clearly you won't be able to use categories that are entirely URL Filtering, but you should be able to use the "apps" in a given category.
This list might help: https://www.checkpoint.com/urlcat/appcontrol.htm
Highlighted
Copper

"Clearly you won't be able to use categories that are entirely URL Filtering, but you should be able to use the "apps" in a given category."

Just the right answer I needed 🙂
I'm all clear now. Thanks again for your help!

0 Kudos