Please advise on how are the policies and rules created for IPS, DLP, AV, AB, APPC, URLF, etc., will behave should the client's subscription lapse.
The enviroment will continue to work, but theses blades need of update from Check Point Cloud for download new signatures, sites categories and solutions for malwares and virus and it's only possible with a valid contract.
I hope help you.
The policies and rules will remain.
However, there will be no enforcement of that blade's security policy.
There is a grace period for some blades:
Policies & Rules will work as expected but new signatures/ Updates/ Category will not be fetched for particular blades
Since now the policy could be unified, some objects, such as "Internet" from AppC may be present.
There are also default cleanup rules in AppC and URLF policies.
If, as Dameon states, there will be no enforcement of that blade's security policy, how will the rules containing objects from those policies be processed?
Specifically, in unified not-layered cases.
Another example of concern is situation when, for example,There is a separate layer of AppC and URLF with explicit rule permitting https and ssh access, for example, to gateways, with default implicit rule set to drop.
Which rule will end-up being enforced once this subscription expired?
Will it default to all open?
Please see Dameon's reply above yours: Existing protections will not continue to work after expiration of the grace period.
I.e. in case of Application control: "If a valid Application Control contract is not associated with a gateway, the blade will be disabled."
So, it is not only affecting new signatures, categories, etc...
Blade's relevant object defined on a layer while the blade's contract is expired will just not be matched (all blade's relevant rules will be filtered out).
Rule 1: Src: Any Dst: Any App: Skype Action: Drop
Rule 2: Src: Any Dst: Any App: Any Action: Accept
In case Application contract is expired rule 2 will always be matched.
Hope that clears things out.
So, just to be clear, if you have these rules in unified policy:
1. I will lose WebUI and SSH access to the gateway
2. I will lose Internet access from Net_192.168.7.0
And if I have it in sequentially processed App Control and URLF policy, same thing will happen, unless I have duplicate rules in Firewall policy allowing this traffic, but with "Internet" object replaced with either "All-Internet", "ExternalZone" or "Any"?
HTTP and SSH do not rely on Application Control signatures, so will not be impacted by an expired App Control license.
The inline layer in your example does not contain any application. So you will not lose internet access.
The only thing you will lose in this example is the application logs for connections matching rule 10.1.
Please note that the inline layer shown contains single App Control and URL filtering blade.
If the blade's functionality is disabled after contract expiration, will these rules be treated as Firewall blade rules or the entire shebang will stop working?
In particular, the "Internet" object depicted is only available when the App Control is activated.
They'll be treated as firewall rules.
It's entirely possible you'll also get an error on pushing policy in this situation as well.
Retrieving data ...