With R80.10 you can make a unified policy composed of services, applications and content in the same rule set. You can also segment your policy to inline layers based on different criterias. And each of those layers can include services, applications, content, or all three altogether.
The default identification for each application signature or application category is:
- Signature of the application's behavior
- Default running services (port + protocol inspection).
Most applications will only be inspected at the Web Browsing Services, while some applications, usually the VOIP ones, are identified by a different set of specific services.
You can see which services an application is inspected on by checking its editor:
To override the matched services, clone the application (because the out-of-the-box applications cannot be edited since they sit in a different domain that can only be updated by Check Point Update Service) and then change its Match Settings.
For the case of web applications, you can modify the default value for the "Web Browsing Services" by going to the Applications & URL Filtering settings.
Question: What about using applications and services in the "Services & Applications" cell in the rule?
- When placing service and application objects in the same rule, it acts as an OR. So for example, a rule with the HTTPS object and the Slack object will catch all traffic that runs on HTTPS (not just Slack) as well as all traffic relevant to the Slack application (in all of its "matched services" like the screenshots above).
- When installing policies that have Services and Applications in the same rule on pre-R80 gateways, the policy installation will fail since pre-R80 you could not make a unified policy.