This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tom_Hinoue
Advisor
Advisor
‎2020-03-15 01:06 AM
Jump to solution

NGFW Licensing in Locally Managed SMB - URL Filtering? No?

Alright, we have NGFW Licensing now on the new 1500 series...

What I know from maintrain (and this chart) is that NGFW contains like - [FW, IPS, APPI, IPSec VPN, Content Awareness]
But in Locally Managed SMB... the blade settings is that we either have APPI&URLF both enabled, or only URLF enabled. So.. I'm not sure of the exact behavior we will have here.

Centrally managed is easy to understand because we can select blades individually 😛

APPI_URL.PNGSecurity_DB.PNG

Blade_Control.PNG

 

 

 

 

 

 

 

 

So...if we want to use APPI, we need both APPI&URL enabled, but simply URLF wont work?
I've been looking up documents, and engaging with CP reps but.. don't have a precise answer yet.
Though the 1500 datasheet shows the same as maintrain.. URLF not included.

Is any one familiar about it?

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-03-15 06:50 PM
Jump to solution

The same part of the software supplies both functions, thus why they are enabled/disabled as one.
When you do not have a URLF license (i.e. because you have an NGFW license), then you cannot use functions that rely on URLF.
Specifically, that means you cannot use URL Filtering categories in your rulebase.
You can still use App Control categories or custom URLs in application definitions, as that will be covered by App Control (covered by NGFW).

Note this is exactly how it works on non-SMB appliances as well.

View solution in original post

0 Kudos
6 Replies
Shlomi_Feldman
Employee Alumnus
Employee Alumnus
‎2020-03-15 02:22 AM
Jump to solution

I am a bit confused from your question.
the license allows you to have both and then you can fine tune it and choose just URLF. can you please explain what exactly you need?
0 Kudos
Tom_Hinoue
Advisor
Advisor
‎2020-03-15 02:48 AM
In response to Shlomi_Feldman
Jump to solution

Hi Shlomi,

From datasheets describing NGFW, we see it doesn't include URLF. (and I know I maybe asking something obvious...)
In locally managed mode, I assume having APPI On means URLF is also enabled... where we can't just have ONLY APPI enabled.

So does this mean that when we have NGFW license and want to use APPI, we will have both APPI/URLF enabled though URLF will not be licensed? I'm concerned as in Licensing, and system resource perspectives...

PhoneBoy
Admin
Admin
‎2020-03-15 06:50 PM
Jump to solution

The same part of the software supplies both functions, thus why they are enabled/disabled as one.
When you do not have a URLF license (i.e. because you have an NGFW license), then you cannot use functions that rely on URLF.
Specifically, that means you cannot use URL Filtering categories in your rulebase.
You can still use App Control categories or custom URLs in application definitions, as that will be covered by App Control (covered by NGFW).

Note this is exactly how it works on non-SMB appliances as well.
0 Kudos
Tom_Hinoue
Advisor
Advisor
‎2020-03-15 11:52 PM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

Thanks, your explanation made most of my concerns clear 🙂

Btw, from your comments I was wondering how can I distinguish between URLF categories and APPI categories tags?
(For e.g in SmartConsole, application categories shows all category tags...)

Or maybe you mean by only applications that these categories are tagged to are controllable by the policy?

0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-16 12:02 AM
In response to Tom_Hinoue
Jump to solution

In a locally managed SMB appliance, there's no real easy way to see which of the categories are App Control, URL Filtering, or both.
Clearly you won't be able to use categories that are entirely URL Filtering, but you should be able to use the "apps" in a given category.
This list might help: https://www.checkpoint.com/urlcat/appcontrol.htm
Tom_Hinoue
Advisor
Advisor
‎2020-03-16 02:34 AM
In response to PhoneBoy
Jump to solution

"Clearly you won't be able to use categories that are entirely URL Filtering, but you should be able to use the "apps" in a given category."

Just the right answer I needed 🙂
I'm all clear now. Thanks again for your help!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top