Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
elbrabra_94
Participant
Jump to solution

FW rules base on HTTP/HTTPS application without application control license

Hello,

 

We would like to create FW rules to only authorize HTTP and HTTPS traffic (without decrypt HTTPS traffic) regardless of the port used (standard or not). Is-it something feasible without Application control license?

 

Thank you very much for your feedback,

 

Regards

0 Kudos
2 Solutions

Accepted Solutions
mdjmcnally
Advisor

Unlike traditional solutions then Check Point Application Control/URL Filtering do not rely on having the database locally.

They instead have very limited cache at the Appliance level but then rely on connecting from the Gateway to the Cloud to do the categorization.

So in order for AppCtrl/URL to work then it needs to be able to connect to the Check Point Cloud to do the categorization.

 

IPS can have an offfline update but not the AppCtrl/URL

View solution in original post

PhoneBoy
Admin
Admin
App Control does have some local signatures.
However, the gateway must have Internet access to periodically update them.
This is per: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

URL Filtering definitely requires Internet access...or a Private ThreatCloud appliance.
I believe App Control signatures can also be retrieved from a PTC appliance as well.

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
To determine whether traffic is "Web Browsing" or not requires Application Control.
With current licensing, this means at least an NGFW subscription.
0 Kudos
elbrabra_94
Participant

Thank you for your help, I get from Checkpoint a trial license for testing purposes.

But after that I had an issue. I activated application control & url filtering blade and create a rule to match web browsing traffic (With Any as services). The rule is not matched except if I remove Web browsing application and use instead Any.

Do you how can I troubleshoot this? I didn't find any documentation about application control troubleshooting part.

 

0 Kudos
mdjmcnally
Advisor
0 Kudos
elbrabra_94
Participant

Thank you very much,

Thanks to your sk links I think I found the issue explanation. Appi_status.C file show an empty value on variable

app_db_version () and I have this app_update_description :

"Update failed.  Gateway can not access internet ('https://secureupdates.checkpoint.com/appi/v4_0_1/gw/Version'). Check connectivity and proxy settings

 

I didn't understand internet access was also needed on Security Gateway, A proxy was only configured on the management server.

Is there any other way to get application dabatase update without configuring internet access on the gateway ? For example retrieving update from management instead ?

 

 

 

 

0 Kudos
mdjmcnally
Advisor

Unlike traditional solutions then Check Point Application Control/URL Filtering do not rely on having the database locally.

They instead have very limited cache at the Appliance level but then rely on connecting from the Gateway to the Cloud to do the categorization.

So in order for AppCtrl/URL to work then it needs to be able to connect to the Check Point Cloud to do the categorization.

 

IPS can have an offfline update but not the AppCtrl/URL

PhoneBoy
Admin
Admin
App Control does have some local signatures.
However, the gateway must have Internet access to periodically update them.
This is per: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

URL Filtering definitely requires Internet access...or a Private ThreatCloud appliance.
I believe App Control signatures can also be retrieved from a PTC appliance as well.
elbrabra_94
Participant

Ok it's clear, thank you for your help

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events