Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor

Errors with APPC+URLF blades

Hello, community.

I have a question.

I have decided to work with 2 layers, 1 layer for the network and the other layer for APPC+URLF.
The problem is that when I work this way, after installing the policies, I automatically lose the management to access by CLI to my GW, and I also lose the connectivity to the Internet of my MGMT.

It is something very strange.

When I reverse the change, and only work with a single layer (Policy -> Network), I have the management of my GW, and also the Internet connectivity of my MGMT.

It is a distributed environment. (I share with you some images of my environment).

LAB1.jpg

LAB2.jpg

LAB3.jpg

I am also validating, that the rule that I have created in the APPC+URLF layer "is not working", and it should be working, since I am giving the order to the PC, to consume the rule that I have created in order to consume "social networks", but the traffic is doing "MATCH" with the Cleanup of the APPC+URLF layer (I share an image with you)

LAB4.jpg

LAB5.jpg

I hope you can help me to clarify this doubt, because I can not solve the error.
Thank you very much.

0 Kudos
14 Replies
G_W_Albrecht
Legend
Legend

Please check sk112249: Best Practices - Application Control ! Maybe you better go the Blacklist approach recommended by CP ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
the_rock
Legend
Legend

I will tell you why this fails and Im 100% positive about it. @G_W_Albrecht is correct btw. But here is way bigger problem with what you did...

If you red below article:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi...

The whole essence is this...traffic has to be accepted on EVERY ordered layer. So in your case, no matter whats accepted in network layer, it will always get dropped on 2nd layer, no exceptions. You need to blacklist all you wish to block in appc/urlf layer and put any any allow at the bottom, thats it.

 

I have good labs to show you examples of it, but hope what I said makes sense.

 

Andy

0 Kudos
Matlu
Advisor

Hello friend.

I'm a bit confused with your answer.

I remember that the rules are "evaluated" from top to bottom, and if the traffic does not "match" in a layer, in my case, the Firewall layer, it goes to the next layer, which in my case is APPC+URLF, and starts to evaluate the rules that are here.

My doubt comes right here, because the traffic when it starts to be "checked" in the APPC+URLF layer, makes "MATCH" with the CLEANUP rule, if I have a "customized" rule (the only rule), in which I try that all the traffic that is to consume social network pages, makes "MATCH" there.

It is not clear to me, why it does not obey this custom rule.

Maybe I'm doing my homework wrong.

Regards.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Please check the following resources regarding layers for better understanding:

https://community.checkpoint.com/t5/Management/Policy-Layers-in-R80-x/m-p/1718/highlight/true#M18158

CCSM R77/R80/ELITE
0 Kudos
Chris_Atkinson
Employee Employee
Employee

Note R80.30 is end of support. Which JHF is it installed with, atleast Take 228 or higher is needed (for optimal SNI based categorisation but preferably the latest GA)?

Is HTTPs inspection enabled here?

Not withstanding there are some changes required to your policy based on what's shown.

CCSM R77/R80/ELITE
0 Kudos
Matlu
Advisor

Hello,

The GW which is in R80.30, has the JHF 255 and now I am not working with HTTPS Inspection.

The strange thing is that if I work with a single layer where by default are the blades of "Firewall + APPPC&URLF", I "recover" my access to the GW by CLI, and my MGMT recovers the access to the Internet.

Greetings.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Correct unified policy and ordered layers behave differently, this is by design.

As Andy indicated both layers need to match the traffic in this configuration, if you want more granular control try inline layers as an alternative.

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

The reason why it works with single layer is because you have urlf+appc enabled in it and traffic matches the rule right. In scenario you gave, would not matter if traffic matched 200 layers, if last one had any any drop rule, ALL traffic would get dropped.

Documents Chris and I sent definitely outline that with examples given.

 

Hope that helps!

 

Andy

0 Kudos
Matlu
Advisor

Hi Rock.

I have reviewed the documents shared and the theory is clearer, but in putting this theory into "practice" it gets a little complicated for me.
Based on my scenario that I have shared, how would you get the traffic of the PC_Gestion to "Match" with the first rule of the APPC+URLF Layer?
Do you see my configuration wrong?
What I want is that the traffic that goes from this PC to social networks like "Facebook, LinkedIN, etc" match with this layer that I create, especially with the explicit rule #1.

Thanks for your help.

0 Kudos
the_rock
Legend
Legend

Sorry mate, not sure I can explain it any better, apologies. Yes, its wrong, because 2nd layer will drop EVERYTHING. So, as @G_W_Albrecht indicated, you have to use blacklist approach. If you dont wish to do so, I put it all in one layer for a customer that was on Cisco before. Their boss did not feel comfortable with CP approach for urlf layer. So, to summarize, either way works, but you simply CANNOT have any any drop at the bottom of 2nd layer, as nothing will ever work, regardless if its fw traffic, urlf or appc related. I can show you this in my lab, it would make sense 100%.

0 Kudos
Matlu
Advisor

Buddy,

I too find the single layer approach easier to work with.
The rules are easier to create, and I feel less complexity.
Unfortunately in my clients' environments, many work with separate layers (1 layer for Firewall rules, and another layer for APPC+URLF rules), so I am learning more about this scenario.

I understand, according to your comment, that if I modify the action of the "CLEANUP RULE" rule of the APPC+URLF layer, from a DROP action to an ACCEPT action, the traffic will start to match my "explicit" rule (The #1 of the APPC+URLF layer), is this correct?

Note: Do you have a Youtube channel, where I can see how you developed your lab?

Thanks for your comments. 🙂

0 Kudos
the_rock
Legend
Legend

Im not fancy guy with youtube channel, sorry haha. But, I can show you the lab tomorrow. What time zone are you in?

0 Kudos
Matlu
Advisor

Hahaha

 

I understand, Buddy.

 

My time zone is UTC -5 (Lima/Bogota/Quito)

 

I am going to try for the moment, to execute the last recommendation you gave me, this recommendation is to modify the ACTION of the "CLEANUP RULE" from DROP to ACCEPT in the APPC+URLF layer, right?

 

To see if the behavior I get is the one I want.

 

Thank you. 🙂

the_rock
Legend
Legend

I would stick with one layer then with urlf and appc enabled, your best option.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events