- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello!
I've been putting together an application control rule for windows updates and I'm having difficulty understanding the cleanup rules. I have an Application Control in-line layer at the bottom of my Security policy (above the drop rule).
If the Implicit action for the layer is to drop, and the explicit cleanup rule is to drop, does that drop apply to ALL traffic, or only traffic that can be affected by the application control layer?
I ask this because it appears that when my cleanup rule (to drop) is enabled, the app control rule does not work. But when I disable the cleanup rule (and hence "unmatched traffic will be dropped and not logged"), things seem to start working.
I'm also worried that these cleanup rules might drop other non-app control destined traffic and affect how that is currently working.
Cheers!
Mark.
Better use the App control rule base to drop unwanted traffic without clean up rule - please read the reference the sk73220: ATRG: Application Control has: For Application Control optimization, please refer to Section (3-10) in sk98348 - Best Practices - Security Gateway Performance.
Thanks for the pointers!
Hey Mark,
I will share what I did for one customer couple of years ago. So, since they came from a different vendor to CP, they were always used to having implicit clean up rule at the bottom of the rule base, so when I showed them CP best practise for sk @G_W_Albrecht mentioned to you, they did not feel comfortable doing so, as it advises to use blacklist approach, rather than whitelist. This is because every ordered layer in CP dashboard has to have traffic accepted, otherwise it wont work...to make long story short, it means that any any allow would technically replace implicit drop rule for this layer. Now, obviously, for traffic thats dropped on access layer, it wont do further checking on another ordered layer.
Now, in your case, here is what I suggest. What client and I ended up doing was create a section towards the top of the rule base that had 5-6 rules specifically to address URL filtering/app control and it works very well, no issues. Also, since they wanted to use https inspection, we created few rules specifically for that in https inspection policy, so users would receive blocked page when going to blocked category.
If you need help with it, message me privately and I would be happy to do remote and show you.
Cheers.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY