This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
796570686578
Collaborator
‎2024-09-05 02:26 AM

Advice on Application Control Policy

Hello everyone,

I am currently running into an issue with an Application Control Policy from a customer and am brainstorming on how to solve our issue. I would appreciate any tips on how you would solve this or setup the policy.

 

We currently have setup the policy the following way:

  1. Rule: Allow specific Categories and whitelisted URLs that otherwise would be blocked.
    1. P_X_Allow contains categories such as "Computers / Internet", Education, Financial Services etc. and URLs which we whitelist explicitly. Basically anything that isn't harmful per se.
  2. Rule: Block any categories that we don't want users to access.
    1. all_categories contains all categories that are not in the P_X_Allow category such as Botnets, Email, Critical Risk, etc.

Rulebase:

app_control_rules.png

 

Now as an Example, the customer doesn't want their customers to access Gmail, and we expected it to be blocked by the Email category in the 2nd Rule. But it is being accepted in the first rule since Gmail also matches the Application "Computers / Internet".

According to the Check Point URL Categorization Tool, Gmail matches the following applications: 

Current Categories: Low Risk, Email, Computers / Internet

 

So what would be the best practice to setup our Application Control Policies or how do you usually do it with your customers? 

The fastest solution would probably be to just add another Block Rule before the first rule and add Gmail to it. While this may be a quick solution, there might be a ton of other applications that are currently allowed through categories you don't expect them to be in. So we'd have to go through all the Logs and check all the applications on how they are categorized.

If we simply move our current 2nd Rule above the Allow rule, we might also block applications that were previously allowed.

How would you tackle this?

 

Any advice is appreciated, thank you!

 

 

 

 

0 Kudos
3 Replies
the_rock
Legend
Legend
‎2024-09-05 05:09 AM

I have a lab where I run multiple ordered layers, for example first one is just fw blade, 2nd one appc+urlf, 3rd one content awareness and then last one again just fw.

So, 2nd layer, what I ALWAYS do is have any any allow at the bottom, because as Im sure you already know, traffic has to be allowed on EVERY ordered layer. 

Now, tricky part is this...IF its not really good option to do it that way and you need to do whitelist, instead of blacklist, then you have to make sure that whatever traffic needs to be allowed, there is rule for it, otherwise, it would never work.

So, if you client does not want people to access gmail, just create custom site with something like *gmail* in it and that should do it and then you can have any any allow at the bottom.

I attached quick doc I made about how I did it in my lab. Hope it helps, but if not, happy to do remote if you allow it.

Andy

https://support.checkpoint.com/results/sk/sk112249

 

Preview file
594 KB
0 Kudos
the_rock
Legend
Legend
‎2024-09-05 05:19 AM

Also, attached below if you use ssl inspection.

Best,

Andy

Preview file
1843 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-05 02:23 PM

What version/JHF is used here?
Is HTTPS Inspection used?
The usage of HTTPS Inspection will generally improve rulebase matching.

In general, more specific rules (i.e. for specific applications/sites) should occur before more general rules (i.e. using App Control or URL Filtering categories).
If you want to block access to Gmail specifically, which has it's Application Signature as shown in AppWiki, that should probably be done before any allow rules.

image.png

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events