This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
elbrabra_94
Participant
‎2019-11-12 09:14 AM
Jump to solution

FW rules base on HTTP/HTTPS application without application control license

Hello,

 

We would like to create FW rules to only authorize HTTP and HTTPS traffic (without decrypt HTTPS traffic) regardless of the port used (standard or not). Is-it something feasible without Application control license?

 

Thank you very much for your feedback,

 

Regards

0 Kudos
2 Solutions

Accepted Solutions
mdjmcnally
Advisor
‎2019-11-28 07:07 AM
In response to elbrabra_94
Jump to solution

Unlike traditional solutions then Check Point Application Control/URL Filtering do not rely on having the database locally.

They instead have very limited cache at the Appliance level but then rely on connecting from the Gateway to the Cloud to do the categorization.

So in order for AppCtrl/URL to work then it needs to be able to connect to the Check Point Cloud to do the categorization.

 

IPS can have an offfline update but not the AppCtrl/URL

View solution in original post

PhoneBoy
Admin
Admin
‎2019-11-28 01:17 PM
In response to mdjmcnally
Jump to solution

App Control does have some local signatures.
However, the gateway must have Internet access to periodically update them.
This is per: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

URL Filtering definitely requires Internet access...or a Private ThreatCloud appliance.
I believe App Control signatures can also be retrieved from a PTC appliance as well.

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
‎2019-11-12 10:56 AM
Jump to solution

To determine whether traffic is "Web Browsing" or not requires Application Control.
With current licensing, this means at least an NGFW subscription.
0 Kudos
elbrabra_94
Participant
‎2019-11-27 07:40 AM
In response to PhoneBoy
Jump to solution

Thank you for your help, I get from Checkpoint a trial license for testing purposes.

But after that I had an issue. I activated application control & url filtering blade and create a rule to match web browsing traffic (With Any as services). The rule is not matched except if I remove Web browsing application and use instead Any.

Do you how can I troubleshoot this? I didn't find any documentation about application control troubleshooting part.

 

0 Kudos
mdjmcnally
Advisor
‎2019-11-27 10:28 AM
In response to elbrabra_94
Jump to solution

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

ATRG for Application Control

0 Kudos
elbrabra_94
Participant
‎2019-11-28 06:58 AM
In response to mdjmcnally
Jump to solution

Thank you very much,

Thanks to your sk links I think I found the issue explanation. Appi_status.C file show an empty value on variable

app_db_version () and I have this app_update_description :

"Update failed.  Gateway can not access internet ('https://secureupdates.checkpoint.com/appi/v4_0_1/gw/Version'). Check connectivity and proxy settings

 

I didn't understand internet access was also needed on Security Gateway, A proxy was only configured on the management server.

Is there any other way to get application dabatase update without configuring internet access on the gateway ? For example retrieving update from management instead ?

 

 

 

 

0 Kudos
mdjmcnally
Advisor
‎2019-11-28 07:07 AM
In response to elbrabra_94
Jump to solution

Unlike traditional solutions then Check Point Application Control/URL Filtering do not rely on having the database locally.

They instead have very limited cache at the Appliance level but then rely on connecting from the Gateway to the Cloud to do the categorization.

So in order for AppCtrl/URL to work then it needs to be able to connect to the Check Point Cloud to do the categorization.

 

IPS can have an offfline update but not the AppCtrl/URL

PhoneBoy
Admin
Admin
‎2019-11-28 01:17 PM
In response to mdjmcnally
Jump to solution

App Control does have some local signatures.
However, the gateway must have Internet access to periodically update them.
This is per: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

URL Filtering definitely requires Internet access...or a Private ThreatCloud appliance.
I believe App Control signatures can also be retrieved from a PTC appliance as well.
elbrabra_94
Participant
‎2019-12-02 02:33 AM
In response to PhoneBoy
Jump to solution

Ok it's clear, thank you for your help

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events