Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MR1
Participant

How to enable URL filtering only for 1 rule

Hi Guys,

 

Currently URL filtering blade is not enabled, and we would like to enabled it. To minimize the impact, we are planning to apply URL filtering only to 1 generic rule.

On a different firewalls we can enable this 'url filtering' profile per rule basis, How to do this on Checkpoint?

Is it possible to apply URL filtering only for 1 rule? and can we achieve this with inline layer? 

 

Thanks!

0 Kudos
7 Replies
G_W_Albrecht
Legend
Legend

Chris_Atkinson
Employee
Employee

The use of either inline or ordered layers may be helpful here and is covered in the admin guides:

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_SecurityManagement_AdminGuid...

MR1
Participant

Hi Chris,

Thanks for the response, I have read the guide and looks like inline layer may achieve my requirement. I have a couple of questions,

  • I do not have a test checkpoint available to check the behavior. Do you know if  If 2.2 rule / inline clean up rule action is allow, will it be evaluated again to the ordered layers or the rule matching is done? (please refer to the table below)
  • Below is snippet from admin guide, what is the reason to make sure the action is the same? what happen if I have application/URL in ordered layer set to 'accept' but in inline layer set to'drop'

Important - Always add an explicit Cleanup Rule at the end of each Inline Layer, and make sure that its Action is the same as the Action of the Implicit Cleanup Rule.

 

No.TypeNameSourceDestinationVPNServices & ApplicationsContentAction
1 192.168.1.0192.168.1.0/24AnyAnyhttpAnyAccept
2 10.0.0.0/1610.0.0.0/16AnyAnyhttpAnyAccept
2.1 Inline Allow Whitelist URLAnyAnyAny[whitelisted-url] - custom application site objectAnyAccept
2.2 Inline Cleanup RuleAnyAnyAnyAnyAnyDrop
3 Cleanup RuleAnyAnyAnyAnyAnyDrop

 

Thanks

 

0 Kudos
MR1
Participant

I am going to reply again, for some reason my previous reply is missing.

hi @Chris_Atkinson  thank you for your response, I've look the the admin guide and have a couple of queries below

  • Do you know what is the reason to put the same action as implicit clean up rule? (refer to snippet from admin guide below). What happen if I have application/URL clean up rule on ordered layer configured to 'accept' but on inline layer I set it to as 'drop'?
  • If my inline clean up rule set as 'accept' will it get evaluated again on the next ordered layer? or the rule matching is completed?

below is the snippet from admin guide,

Important - Always add an explicit Cleanup Rule at the end of each Inline Layer, and make sure that its Action is the same as the Action of the Implicit Cleanup Rule.

0 Kudos
PhoneBoy
Admin
Admin

Inline layers are a great way to test this.
What your implicit cleanup rule for the inline layer should be in this case depends on your goal.
Just know that if it hits an accept rule in the inline layer, the next ordered layer will be evaluated (if there is one).
Likewise, a drop in the inline layer (even if the implicit drop rule) means the connection will be dropped.

MR1
Participant

Hi @PhoneBoy 

 

Thank you for your valuable input.

last question that i have in mind about below

'Just know that if it hits an accept rule in the inline layer, the next ordered layer will be evaluated (if there is one).

What happen if those are the same, for example I have 2 ordered layer, 1st is firewall and 2nd is application/URL.

If I create application/URL inline layer on my firewall blade and it hits an accept rule in that inline layer.
will it still be evaluated against the application/URL on the ordered layer?

 

Thanks!

0 Kudos
PhoneBoy
Admin
Admin

If you use ordered layers, the packet must hit an accept rule in each layer, regardless of what blades are active in each layer.

0 Kudos