This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dmn
Explorer
‎2022-05-24 08:47 AM

Enabling AppControl on Production/Live firewall

Hi

We have some CloudGuard firewalls managed using SmartConsole. We're paying the licensing for the Application Control and URL Filtering features but none of them have been enabled on the Gateways.

 

What are the implications if I just flick these features on on the gateways? Will they restart? Will the existing policies continue to work fine and I can start adding AppControl/URL policies? etc.

 

Thank you.

0 Kudos
5 Replies
Sorin_Gogean
Advisor
‎2022-05-24 12:54 PM

Hey, 

 

You're good to set the AppControl blade enabled, no restart required.

After you enable that you might have to change your FWL Policy and add the App/URL Blade also.

 

When all this is done, push the policy to the GW so the blade becomes active, and after that start defining your rules 😄.

 

Thank you,

Tobias_Moritz
Advisor
‎2022-05-27 07:38 AM

The only case I can think of, which creates problems when "justing ticking APPI/URLF blades on" is:

You have an Access Policy, which has an ordered Application layer in it. I saw this in environments, that were upgraded from R77.x to R80.x. somewhere in the past. APPI/URLF was never used there, but the conversion process by upgrading Firewall Management to R80 back in the days, created this legacy Application Control ordered layer in that Access Policy. It was not doing anything as long as APPI/URLF blades were not installed. After installing them, APPI started dropping traffic based on the one and only (I guess default) rule in that Application Layer.

It cannot be an inline layer with that feature or unified access policy, because SmartConsole would not let you upload that to a gateway which does not have these blades installed.

So just verify that your access Policy does not have an (legacy) Application layer and than you should be fine in activating these blades.

the_rock
Champion
Champion
‎2022-05-27 10:42 AM

Guys are correct, nothing will happen if you just enable the blade. Then install policy, no need to reboot. I would personally create another ordered layer just for app control/url filtering.

 

Andy

dmn
Explorer
‎2022-05-27 10:51 AM
In response to the_rock

Thank you all for your input. I think these gateways started out on  R80 so hopefully shouldn't run into that issue.

 

@the_rock wrote:

Guys are correct, nothing will happen if you just enable the blade. Then install policy, no need to reboot. I would personally create another ordered layer just for app control/url filtering.

Doesn't an Ordered Layer make managing policies much more difficult? Maybe I'm misunderstanding the documentation for it but having policies spread out across a few different pages on the SmartConsole seems a bit unintuitive. I find that way of managing Threat Prevention policies to be annoying. I've experience with other NGFWs and having those features as profiles you can apply to whichever policies you want and get them all in one place make managing things a lot easier.

0 Kudos
the_rock
Champion
Champion
‎2022-05-27 01:07 PM
In response to dmn

Well, depends on a person my friend : - ). I find it way easier, because you dont need to rumage through so many rules in same layer and plus, traffic is processed faster. Also, I find securexl handling works better with ordered layers as well. Now, if you dont have too many rules, then I would not bother, you can just enable app control and create inline layer or section for it in regular policy, thats what I did for one customer and works fine.

Andy

0 Kudos