- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: How to enable URL filtering only for 1 rule
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to enable URL filtering only for 1 rule
Hi Guys,
Currently URL filtering blade is not enabled, and we would like to enabled it. To minimize the impact, we are planning to apply URL filtering only to 1 generic rule.
On a different firewalls we can enable this 'url filtering' profile per rule basis, How to do this on Checkpoint?
Is it possible to apply URL filtering only for 1 rule? and can we achieve this with inline layer?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please have a look at Creating Application Control and URL Filtering Rules, sk65124 - URL Filtering Blade FAQ and sk92743: ATRG: URL Filtering.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The use of either inline or ordered layers may be helpful here and is covered in the admin guides:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chris,
Thanks for the response, I have read the guide and looks like inline layer may achieve my requirement. I have a couple of questions,
- I do not have a test checkpoint available to check the behavior. Do you know if If 2.2 rule / inline clean up rule action is allow, will it be evaluated again to the ordered layers or the rule matching is done? (please refer to the table below)
- Below is snippet from admin guide, what is the reason to make sure the action is the same? what happen if I have application/URL in ordered layer set to 'accept' but in inline layer set to'drop'
Important - Always add an explicit Cleanup Rule at the end of each Inline Layer, and make sure that its Action is the same as the Action of the Implicit Cleanup Rule. |
No. | Type | Name | Source | Destination | VPN | Services & Applications | Content | Action |
1 | 192.168.1.0 | 192.168.1.0/24 | Any | Any | http | Any | Accept | |
2 | 10.0.0.0/16 | 10.0.0.0/16 | Any | Any | http | Any | Accept | |
2.1 | Inline Allow Whitelist URL | Any | Any | Any | [whitelisted-url] - custom application site object | Any | Accept | |
2.2 | Inline Cleanup Rule | Any | Any | Any | Any | Any | Drop | |
3 | Cleanup Rule | Any | Any | Any | Any | Any | Drop |
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am going to reply again, for some reason my previous reply is missing.
hi @Chris_Atkinson thank you for your response, I've look the the admin guide and have a couple of queries below
- Do you know what is the reason to put the same action as implicit clean up rule? (refer to snippet from admin guide below). What happen if I have application/URL clean up rule on ordered layer configured to 'accept' but on inline layer I set it to as 'drop'?
- If my inline clean up rule set as 'accept' will it get evaluated again on the next ordered layer? or the rule matching is completed?
below is the snippet from admin guide,
Important - Always add an explicit Cleanup Rule at the end of each Inline Layer, and make sure that its Action is the same as the Action of the Implicit Cleanup Rule. |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Inline layers are a great way to test this.
What your implicit cleanup rule for the inline layer should be in this case depends on your goal.
Just know that if it hits an accept rule in the inline layer, the next ordered layer will be evaluated (if there is one).
Likewise, a drop in the inline layer (even if the implicit drop rule) means the connection will be dropped.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @PhoneBoy
Thank you for your valuable input.
last question that i have in mind about below
'Just know that if it hits an accept rule in the inline layer, the next ordered layer will be evaluated (if there is one).
What happen if those are the same, for example I have 2 ordered layer, 1st is firewall and 2nd is application/URL.
If I create application/URL inline layer on my firewall blade and it hits an accept rule in that inline layer.
will it still be evaluated against the application/URL on the ordered layer?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you use ordered layers, the packet must hit an accept rule in each layer, regardless of what blades are active in each layer.
