Enabling AppControl on Production/Live firewall

dmn · ‎2022-05-24

Hi

We have some CloudGuard firewalls managed using SmartConsole. We're paying the licensing for the Application Control and URL Filtering features but none of them have been enabled on the Gateways.

What are the implications if I just flick these features on on the gateways? Will they restart? Will the existing policies continue to work fine and I can start adding AppControl/URL policies? etc.

Thank you.

Sorin_Gogean · ‎2022-05-24

Hey,

You're good to set the AppControl blade enabled, no restart required.

After you enable that you might have to change your FWL Policy and add the App/URL Blade also.

When all this is done, push the policy to the GW so the blade becomes active, and after that start defining your rules 😄.

Thank you,

Tobias_Moritz · ‎2022-05-27

The only case I can think of, which creates problems when "justing ticking APPI/URLF blades on" is:

You have an Access Policy, which has an ordered Application layer in it. I saw this in environments, that were upgraded from R77.x to R80.x. somewhere in the past. APPI/URLF was never used there, but the conversion process by upgrading Firewall Management to R80 back in the days, created this legacy Application Control ordered layer in that Access Policy. It was not doing anything as long as APPI/URLF blades were not installed. After installing them, APPI started dropping traffic based on the one and only (I guess default) rule in that Application Layer.

It cannot be an inline layer with that feature or unified access policy, because SmartConsole would not let you upload that to a gateway which does not have these blades installed.

So just verify that your access Policy does not have an (legacy) Application layer and than you should be fine in activating these blades.

the_rock · ‎2022-05-27

Guys are correct, nothing will happen if you just enable the blade. Then install policy, no need to reboot. I would personally create another ordered layer just for app control/url filtering.

Andy

dmn · ‎2022-05-27

Thank you all for your input. I think these gateways started out on R80 so hopefully shouldn't run into that issue.

@the_rock wrote:
Guys are correct, nothing will happen if you just enable the blade. Then install policy, no need to reboot. I would personally create another ordered layer just for app control/url filtering.

Doesn't an Ordered Layer make managing policies much more difficult? Maybe I'm misunderstanding the documentation for it but having policies spread out across a few different pages on the SmartConsole seems a bit unintuitive. I find that way of managing Threat Prevention policies to be annoying. I've experience with other NGFWs and having those features as profiles you can apply to whichever policies you want and get them all in one place make managing things a lot easier.

the_rock · ‎2022-05-27

Well, depends on a person my friend : - ). I find it way easier, because you dont need to rumage through so many rules in same layer and plus, traffic is processed faster. Also, I find securexl handling works better with ordered layers as well. Now, if you dont have too many rules, then I would not bother, you can just enable app control and create inline layer or section for it in regular policy, thats what I did for one customer and works fine.

Andy

Are you a member of CheckMates?

Enabling AppControl on Production/Live firewall