This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Tip of the Week - Application Control Best Practices

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
_Val_
Admin
Admin
3 2 1,893
‎2019-01-07 03:49 AM

Working with Application Control Software Blade can be challenging sometimes. How to build an effective AC policy rules? What categories should be blocked unconditionally? How to deal with unknown applications? What about HTTPs inspection, is that required or not?

These and many other questions are answered in Best Practices - Application Control  SecureKnowledge article.

2 Comments
Vladimir
Champion
Champion
‎2019-01-07 03:53 PM

Valeri Loukine‌,

Can we get a definitive answer on where "Any Recognized" is now?

It is explicitly mentioned in this current SK:

Setting Your Policy for Unknown Traffic

"Unknown traffic" is non-HTTP traffic that does not match anything in your current application database. Logs for unknown traffic should be examined carefully to understand what is behind them. Traffic that results in such a log could be a product of a protocol that is not yet supported, anonymized traffic which uses a proprietary protocol, or even a mis-detected supported protocol or application.

As the options listed have either security or connectivity concerns (often both), report any missing protocol or misdetection directly to the Application Control team. In general, once the unknown traffic has been inspected and categorized correctly, it is recommended you block such traffic facing the Internet and continue to monitor internal traffic.

Note: Unknown traffic will be matched on rules containing "Any Recognized" in addition to specific rules.

But it is not available in R80.10 and R80.20 and I am not sure about future releases.

Additionally, the Note above does not seem to make sense. It is either "Unknown" or "Recognized".

Thank you,

Vladimir

0 Kudos
_Val_
Admin
Admin
‎2019-01-09 02:30 AM

Let me look into that