This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mraybone
Explorer
‎2022-03-25 02:10 AM

Application Control Cleanup Rules...

Hello!

I've been putting together an application control rule for windows updates and I'm having difficulty understanding the cleanup rules.  I have an Application Control in-line layer at the bottom of my Security policy (above the drop rule).

If the Implicit action for the layer is to drop, and the explicit cleanup rule is to drop, does that drop apply to ALL traffic, or only traffic that can be affected by the application control layer?

I ask this because it appears that when my cleanup rule (to drop) is enabled, the app control rule does not work.  But when I disable the cleanup rule (and hence "unmatched traffic will be dropped and not logged"), things seem to start working.

I'm also worried that these cleanup rules might drop other non-app control destined traffic and affect how that is currently working.

Cheers!
Mark.

0 Kudos
3 Replies
G_W_Albrecht
Legend
Legend
‎2022-03-25 03:03 AM

Better use the App control rule base to drop unwanted traffic without clean up rule - please read the reference the sk73220: ATRG: Application Control has: For Application Control optimization, please refer to Section (3-10) in sk98348 - Best Practices - Security Gateway Performance.

CCSE CCTE SMB Specialist
0 Kudos
Mraybone
Explorer
‎2022-03-25 05:12 AM
In response to G_W_Albrecht

Thanks for the pointers!

0 Kudos
the_rock
Champion
Champion
‎2022-03-25 05:28 AM

Hey Mark,

 

I will share what I did for one customer couple of years ago. So, since they came from a different vendor to CP, they were always used to having implicit clean up rule at the bottom of the rule base, so when I showed them CP best practise for sk @G_W_Albrecht mentioned to you, they did not feel comfortable doing so, as it advises to use blacklist approach, rather than whitelist. This is because every ordered layer in CP dashboard has to have traffic accepted, otherwise it wont work...to make long story short, it means that any any allow would technically replace implicit drop rule for this layer. Now, obviously, for traffic thats dropped on access layer, it wont do further checking on another ordered layer.

Now, in your case, here is what I suggest. What client and I ended up doing was create a section towards the top of the rule base that had 5-6 rules specifically to address URL filtering/app control and it works very well, no issues. Also, since they wanted to use https inspection, we created few rules specifically for that in https inspection policy, so users would receive blocked page when going to blocked category.

If you need help with it, message me privately and I would be happy to do remote and show you.

Cheers.

0 Kudos