AnsweredAssumed Answered

Replace Proxy with Checkpoint Application Control and URL Filtering

Question asked by Alejandro Lansac on Oct 2, 2018
Latest reply on Oct 4, 2018 by Alejandro Lansac

I would like to replace our current Proxy with the Application Control and URL Filtering functionalities from Checkpoint Firewall. I have installed a Security gateway to Test but I experience some problems.

Requirements:

  • Non Transparent Proxy
  • Integration with Identity Awareness
  • Each Group of users have access to a Group of URL Categories

 

Configuration

  • Checkpoint R80.10 With the following Blades: Firewall, Application Control, URL Filtering, Anti-Bot, Anti-Virus, Identity Awareness and Content Awareness
  • The Security Gateway is configured as HTTP/HTTPS Proxy – Port 8080
  • There is a Rule to allow access from clients network to the Security gateway – Port 8080
  • Identity Awareness is configured with Identity collector and works fine.
  • A rule allows access from the clients network to a Group of URLs “Trusted Sites”
  • Some rules allow access from user access roles to some groups of Categories
  • In the Implied Policy, the option “Accept outgoing packets originating from Gateway” is configured as “Before last”

 

Behavior:

  • All Clients have access to all URLs.
  • In the Log I can see 2 connections: One from the client to the Security Gateway, port 8080, allowed and the other one from the Security Gateway to Internet allowed by Implicit Rule 0. In the second rule there is neither information about the client IP nor the client user.
  • When I disable the implicit rule that allow outgoing packets originating from the Gateway, the clients cannot access any URL.

 

There is probably something wrong in my design. Can the security gateway work as a Proxy and at the same time filter what URL can use a group of Clients?

Outcomes