Print Download PDF Send Feedback

Previous

Next

Managing the Access Policy

In This Section:

Firewall Blade Control

Firewall Policy

Firewall Servers

Firewall NAT

Advanced - Creating and Editing NAT Rules

User Awareness Blade Control

QoS Blade Control

QoS Policy

SSL Inspection Policy

SSL Inspection Exceptions

SSL Inspection Advanced

This section describes how to set up and manage your Check Point Appliance access policy.

Firewall Blade Control

In the Access Policy > Firewall Blade Control page you can set the default Access Policy control level, set the default applications and URLs to block and allow secure browsing, and configure User Awareness.

The Access Policy is a set of rules that defines the security requirements for your appliance for incoming, internal, and outgoing traffic.

The Access Policy includes:

The Access Policy > Firewall Blade Control page lets you easily define the default policy for your organization. In addition, you can define and view the rule based policy in the Access Policy > Firewall Policy page. Configurations in the Firewall Blade Control page are shown as automatically generated system rules at the bottom of the Rule Base. We recommend you use the Access Policy > Firewall Policy page to define manual rules that are exceptions to the default policy defined in this page.

The Access Policy > Firewall Blade Control page defines the default policy for incoming, internal, and outgoing traffic to and from your organization. In addition, the Access Policy > Firewall Servers page lets you easily define the default access policy for specific servers within your organization and automatically generated system rules are also defined.

Firewall Policy

Select one of these options to set the default Access Policy:

Note - When the blade is managed by Cloud Services, a lock icon shows. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally are overridden in the next synchronization between the gateway and Cloud Services.

To set specified outgoing services in a standard Firewall policy:

  1. When the Access Policy control level is set to Standard, click all services.
  2. Select Block all outgoing services except the following.
  3. Select which services to allow.
  4. To allow all services, select Allow all outgoing services.
  5. Click Apply.

To manually configure Access Policy rules:

Go to the Access Policy > Policy page.

In the Access Policy > Blade Control page:

Click Servers to see how many servers are defined in the appliance. If no servers are configured, click Add a server to add one. A server object is a defined IP address to which you can also define a specific access policy and also incoming NAT rules if necessary. For example, Port forwarding NAT. Automatically generated access rules to servers are created above the default policy rules and can be seen in the Access Policy > Firewall Policy page. You can create exception rules for servers as well in the Access Policy > Firewall Policy page.

Applications & URL Filtering

The Applications & URL Filtering section lets you define how to handle applications and URL categories on traffic from your organization to the Internet.

Applications and URL Filtering are service based features and require Internet connectivity to download the latest signature package for new applications and to contact the Check Point cloud for URL categorization. This page lets you define the default policy for Applications & URL Filtering control. It is recommended by default to block browsing to security risk categories and applications. You can also configure additional applications and categories to block by default according to your company's policy. In addition, you can also select to limit bandwidth consuming applications for better bandwidth control.

In addition to the On and Off buttons, you can select the URL Filtering Only mode. When you select this option, only URLs and custom applications defined by URLs are blocked. Predefined applications initially installed on your computer or added with automatic updates are not blocked.

When you select the URL Filtering Only mode:

The default policy defined here is viewed as automatically generated rules in the bottom of the Outgoing traffic Rule Base in the Access Policy > Policy page.

Select one or more of these options:

Updates

As a service based feature, this page also shows you the update status:

To schedule updates:

  1. Hover over the icon next to the update status and select the Schedule Updates link.
  2. Select the blades for which to schedule updates. You must manually update the rest of the blades when new updates packages are available and a not up to date message is shown in the status bar at the bottom of the WebUI application.
  3. Select a Recurrence time frame:
    • Hourly - Enter the time interval for Every x hours.
    • Daily - Select the Time of day.
    • Weekly - Select the Day of week and Time of day.
    • Monthly - Select the Day of month and Time of day.
  4. Click Apply.

User Awareness

User Awareness lets you configure the Check Point Appliance to enforce access control for individual users and groups and show user-based logs instead of IP address based logs.

Initially, click Configure to set up how User Awareness recognizes users. When this is configured, you can see users in logs and also configure user based Access Policy rules. User recognition can be done seamlessly by the appliance using your organization's AD server. The user database and authentication are all done through the AD server. When a user logs in to the AD server, the appliance is notified. Users from the AD server can be used as the Source in Access Policy rules.

Alternatively or in addition, users can be defined locally in the Users & Objects > Users page with a password. For the appliance to recognize the traffic of those users, you must configure Browser-Based Authentication and the specific destinations to which they must be identified first before accessing. Normally, Browser-Based Authentication is not used for all traffic, but rather for specific destinations because it requires manual login by the end user through a dedicated portal.

If User Awareness has been configured, the Enable User Awareness checkbox is shown. To disable User Awareness, clear the checkbox. To make changes to the configuration, click Edit settings.

At any time, you can also click Active Directory servers to define an AD server that the gateway can work with. Creating an AD server is also available in the Edit settings wizard.

Tracking

Select which traffic to log:

For blocked traffic

For allowed traffic

These settings apply to all the incoming and outgoing traffic blocked or accepted by the default Firewall and Applications & URL Filtering automatically generated rules.

These settings do not apply to automatically generated rules for VPN, DMZ, and wireless networks.

More Information

The Check Point Application Database contains more than 4,500 applications and about 96 million categorized URLs.

Each application has a description, a category, additional categories, and a risk level. You can include applications and categories in your Application Control and URL Filtering rules. If your appliance is licensed for the Application Control & URL Filtering blades, the database is updated regularly with new applications, categories and social networking widgets. This lets you easily create and maintain an up to date policy.

You can see the Application Database from:

Firewall Policy

In the Access Policy > Firewall Policy page you can manage the Firewall Access Policy Rule Base. You can create, edit, delete, enable or disable rules. In the Access Policy > Firewall Blade Control page you determine the basic firewall policy mode.

In Standard mode, this page shows you both automatically generated rules based on the configuration of your default policy and manually defined rules as exceptions to this default policy.

In Strict mode, all access is blocked by default and this page is the only way to configure access rules for your organization.

The Rule Base is divided into two sections. Each of the two sections represent a different security policy - how your organization browses to the Internet (the world outside your organization) and the security policy to access your organization's resources (both from within and from outside your organization). At the top of the page there are three links that let you see both or only one of the sections.

Within each section there are these sections:

These are the fields that manage the rules for the Firewall Access Policy.

Rule Base Field

Description

No.

Rule number in the Firewall Rule Base.

Source

IP address, network object, or user group that initiates the connection.

Destination

IP address or network object that is the target of the connection.

Application

Applications or web sites that are accepted or blocked. You can filter the list by common applications, categories, custom defined applications, URLs or groups. For more information, see Managing Applications & URLs.

This field is only shown in the Outgoing access to the Internet section.

Service

Type of network service that is accepted or blocked.

Action

Firewall action that is done when traffic matches the rule.

For outgoing traffic rules, you can use the Customize messages option to configure "Ask" or "Inform" actions in addition to the regular Block or Accept actions.

The messages shown can be set for these action types: Accept and Inform, Block and Inform, or Ask. Ask action lets the end user decide if this traffic is for work purposes or personal. See the Customize messages section below. Users are redirected to a portal that shows a message or question.

If a time range is set for the rule, a clock icon is shown.

Log

The tracking and logging action that is done when traffic matches the rule.

Comment /
Auto generated rule

Details shown immediately below the above fields for:

  • Comments you enter when you create a rule.
  • Rules that the system automatically generates. You can click the object name link in the comment to open its configuration tab.

The "Ask" action

The outgoing Rule Base gives the option to set an Ask action instead of just allow or block for browser based applications. There are several commonly used cases where this is helpful:

To create a new manually defined access rule:

  1. Click the arrow next to New. When the page shows both Rule Bases, click New in the appropriate table.
  2. Click one of the available positioning options for the rule: On Top, On Bottom, Above Selected, or Under Selected.

    The Add Rule window opens. It shows the rule fields in two ways:

    • A rule summary sentence with default values.
    • A table with the rule base fields in a table.
  3. Click the links in the rule summary or the table cells to select network objects or options that fill out the rule base fields. See the descriptions above.

    Note - The Application field is relevant only for outgoing rules.

    In the Source field, you can optionally select between entering a manual IP address (network), a network object, or user group (to configure a user based policy, make sure the User Awareness blade is activated). Users can be defined locally on the appliance or externally in an Active Directory. For more details, see the Access Policy > User Awareness Blade Control page.

  4. In the Write a comment field, enter optional text that describes the rule. This is shown as a comment below the rule in the Access Policy.
  5. To limit the rule to a certain time range, select Apply only during this time and select the start and end times.
  6. In outgoing rules, to limit the download traffic rate, select Limit download traffic of applications to and enter the Kpbs rate.
  7. In outgoing rules, to limit the upload traffic rate, select Limit upload traffic of applications to and enter the Kpbs rate.
  8. In incoming rules, to match only for encrypted VPN traffic, select Match only for encrypted traffic.
  9. Click Apply.

    The rule is added to the outgoing or incoming section of the Access Policy.

To clone a rule:

Clone a rule to add a rule that is almost the same as the one that already exists.

  1. Select a rule and click Clone.
  2. Edit the fields as necessary.
  3. Click Apply.

To edit a rule:

Note - For Access Policy rules, you can only edit the tracking options for automatically generated rules.

  1. Select a rule and click Edit.
  2. Edit the fields as necessary.
  3. Click Apply.

To delete a rule:

  1. Select a rule and click Delete.
  2. Click Yes in the confirmation message.

To enable or disable a rule:

To change the rule order:

  1. Select the rule to move.
  2. Drag and drop it to the necessary position.

    Note - You can only change the order of manually defined rules.

Customize messages

You can customize messages to let the Security Gateway communicate with users. This helps users understand that some websites are against the company's security policy. It also tells users about the changing Internet policy for websites and applications. When you configure such messages, the user's Internet browser shows the messages in a new window when traffic is matched on a rule using one of the message related actions.

These are the Action options and their related notifications:

Rule Base action

Notifications

Accept and Inform

Shows an informative message to users. Users can continue to the application or cancel the request.

Block and Inform

Shows a message to users and blocks the application request.

Ask

Shows a message to users and asks them if they want to continue with the request or not. See above for more details.

To customize messages:

  1. Click Customize messages in the Outgoing access to the Internet section.
  2. Configure the options in each of these tabs:
    • Accept and Inform
    • Block and Inform
    • Ask
  3. Configure the applicable fields for each of the notifications:
    • Title - Keep the default or enter a different title.
    • Subject - Keep the default or enter a different subject.
    • Body - Keep the default or enter different body text. You can click Optional keywords for a list of keywords that you can add in the body text to give the user more information.
    • Ignore text (only for Ask) - This is the confirmation message for the Ask user message. Keep the default text or enter different text
    • User must enter a reason (only for Ask) - Select this checkbox if users must enter an explanation for their activity. The user message contains a text box for entering the reason.
    • Fallback action - Select an alternative action (Block or Accept) for when the notification cannot be shown in the browser or application that caused the notification, most notably in non-web applications. If it is determined that the notification cannot be shown in the browser or application, the behavior is:
      • If the Fallback action is Accept - The user can access the website or application.
      • If the Fallback action is Block - The Security Gateway tries to show the notification in the application that caused the notification. If it cannot, the website or application is blocked, and the user does not see a notification.
    • Frequency - You can set the number of times that users get notifications for accessing applications that are not permitted by the policy. The options are:
      • Once a day
      • Once a week
      • Once a month

      For example, in a rule that contains in the Application - Social Networking category, if you select Once a day as the frequency, a user who accesses Facebook multiple times get one notification.

    • Redirect the user to URL - You can redirect the user to an external portal, not on the gateway. In the URL field, enter the URL for the external portal. The specified URL can be an external system. It gets authentications credentials from the user, such as a user name or password. It sends this information to the gateway. Only applicable for the Block and Inform notification.
  4. Click the Customize tab to customize a logo for all portals shown by the appliance (Hotspot and captive portal used by User Awareness). Click Upload, browse to the logo file and click Apply. If necessary, you can revert to the default logo by clicking Use Default.
  5. Click Apply.

Firewall Servers

In the Servers page you can see a list of servers defined in your system. You can create, edit, delete or search for server objects. Server objects are network objects that are defined with their access and NAT (if applicable) policies.

New server objects are created using a wizard:

After you create a server, one or more corresponding rules are automatically generated and added to the Access Policy automatically and shown in the Access Policy > Firewall Policy page. The comment in the rule shows the object name. You can click the object name link in the comment to open the Access tab in the Server Properties.

An easier way to define server objects is by detecting them in the Home > Active Devices page and saving them as servers. For example, this option automatically detects the MAC address of the server making configuration easier.

During the wizard:

To create a new object:

Click New. The New Server Wizard opens and shows Step1: Server Type.

Step 1: Server Type

  1. Select the server type. There are built-in types for common servers. You can manually define a server that listens to any configured ports and you can also change a common server type's ports.
  2. When selecting built-in types, you can optionally click Edit to edit the protocol ports.
  3. When you select Other Server:
    • Select the Protocol (TCP, UDP, or both).
    • Enter the TCP/UDP Ports (enter port numbers and/or port ranges separated by commas, for example, 1,3,5-8,15).

Step 2: Server Definitions

  1. Enter a Name, IP address, and Comments (optional).
  2. Select the options that apply to the server. For more information see Users & Objects > Network Objects.
    • Allow DNS server to resolve this object name - When the gateway is the DNS server for your internal networks the name of the server/network object will be translated to its IP address if this option is selected.
    • Exclude from DHCP service - The internal DHCP service will not distribute the configured IP address of this server/network object to anyone.
      • Reserve IP address in DHCP service for MAC - The internal DHCP service will distribute the configured IP address only to this server/network object according to its MAC address.
      • Enter the MAC address - This is required for IP reservation. When you create the object from the Active Devices page, the MAC address is detected automatically.

Step 3: Access

  1. Select the zones from which the server is accessible:
    • All zones (including the Internet) - Select this option to create a server that anyone from outside the organization can access. This option requires configuring how the server is accessible through NAT (in the next step).
    • Only trusted zones (my organization) - Select the applicable checkboxes. You can override these settings by adding manual access rules.
      • LAN - Physical internal networks.
      • Remote Access VPN users - Users that connect from their homes/mobile devices to the office.
      • Secure wireless networks - Password protected networks, not including guest networks.
      • DMZ - The network physically connected to the DMZ port when it is not used for a secondary Internet connection.
      • Remote VPN sites - Networks defined behind gateways to remote VPN sites.
  2. If you do not want the server to be accessible to pings, clear the Allow access to server in the ICMP (ping) checkbox.
  3. Select the logging policy of traffic to the server:
    • Log blocked connections
    • Log accepted connections

Step 4: NAT (when server is accessible from the Internet)

Select the relevant option:

When you complete the wizard, the server is added to the list of servers on the page and the automatically generated access rules are added to the Access Policy > Firewall Policy Rule Base.

Note - This page is available from the Firewall and NAT sections on the Access Policy tab.

Firewall NAT

In the Access Policy > Firewall NAT page you can configure NAT for outgoing traffic and see how many servers are defined in the system. Servers are defined in the Access Policy > Servers page and are network objects configured with their access and NAT settings. This lets you configure servers that are accessible from the Internet even if they do not have a routable IP address. You can also configure servers with NAT settings from this page.

Note - 700 and 910 appliances support both IPv4 and IPv6 addresses.

To disable NAT for outgoing traffic (hide NAT):

By default, NAT is configured for outgoing traffic. If it is necessary to disable NAT, make sure Hide internal networks behind the Gateway's external IP address is set to OFF.

Important - In most cases, if you turn off the hide NAT feature, you cause Internet connectivity issues. If your appliance is the gateway of your office to the Internet DO NOT set to off without consulting with networking experts.

To configure a server that is routable from the Internet (server with NAT):

  1. Click New Server (forwarding rule).
  2. See the Access Policy > Servers page for instructions on how to use the server wizard.
  3. In the Access step of the server wizard, select one of the options when asked from where this server is accessible.
  4. In the NAT step of the server wizard, select the relevant option:
    • The gateway's external (public) IP address - This configures access through Port Forwarding. The appliance has an external routable IP address which is configured in its Internet connections (on the Device > Internet page). Traffic to the appliance to the ports configured for the server object in step 1 of the wizard is forwarded to the server. This allows traffic from the Internet into the organization (public servers) while still using one external routable IP address.
    • A different (public) IP address - This configures access through Static NAT. If a routable IP address was purchased for the server, enter it in the address field. While the rest of the internal network is hidden behind the gateway's external IP address, this specified server will use its own accessible IP address. Traffic to the specified IP address on relevant ports as configured in step 1 of the wizard will be forwarded to this server.
    • The server's configured IP address (x.x.x.x) is public - This option is only relevant if the Hide internal networks behind the Gateway's external IP address checkbox in the Access Policy > NAT Control page is cleared (see above for details). It means there are no NAT rules on the server.
  5. When you have multiple internal servers that use the same port, select Redirect from port and enter a different port number that is used when you access this server from the Internet. Traffic to the server on the port you entered is forwarded to the server's port.
  6. By default, the Force translated traffic to return to the gateway checkbox is selected. This allows access from internal networks to external IP addresses of servers through the local switch. The source is translated to "This Gateway". When the checkbox is cleared, the source is "Any" and there is no access from the internal network to external IP addresses through the switch.
  7. Click Finish.

After you create a server with NAT settings, one or more corresponding rules are automatically generated and added to the NAT rules under the Auto Generated Forwarding Rules section. Click View NAT rules to see them. The comment in the rule shows the server object name. You can click the object name link to open the Access tab of the server's properties or click the Servers page link to go to the Firewall Servers page.

Advanced - Manual NAT Rules

Note - For the majority of cases, manual NAT rules are not necessary. There is no need to use this option unless you are an experienced network administrator.

A more advanced way to configure address translation is by defining manual NAT rules. If servers with NAT are configured, the manual NAT rules do not apply to them. However, they apply even when Hide NAT is activated.

These are the fields that manage the NAT rules.

Rule Base Field

Description

Original Source

The network object (a specified IP address) or network group object (a specified IP address range) that is the original source of the connections to translate.

Original Destination

The network object (a specified IP address) or network group object (a specified IP address range) that is the original destination of the connections to translate.

Original Service

The original service used for the connections to translate.

Translated Source

The network object or network group object that is the new source to which the original source is translated.

Translated Destination

The network object or network group object that is the new destination to which the original destination is translated.

Translated Service

The new service to which the original service is translated.

To create a new NAT rule:

  1. If the NAT rules table is not shown on the page, click the View NAT rules link.
  2. Click the arrow next to New.
  3. Click one of the available positioning options for the rule: On Top, On Bottom, Above Selected, or Under Selected.

    The Add Manual NAT Rule window opens. It shows the rule fields in two manners:

    • A rule summary sentence with default values.
    • A table with the Rule Base fields in a table.
  4. Click the links in the rule summary or the table cells to select network objects or options that fill out the Rule Base fields. See the descriptions above.
  5. In the Write a comment field, enter optional text that describes the rule. This is shown as a comment below the rule in NAT Manual Rules.
  6. Select the Hide multiple sources behind the translated source addresses if you want the original source to contain multiple IP addresses, IP ranges, networks, etc. and the translated source to be a single IP address.

    When this option is not selected, you can still use an IP range in the Original Source and a different IP range of the same size in the Translated Source. This rule does the IP address translation from one range to another, respectively (the first IP in the first range is translated to the first IP in the second range, and so on).

  7. Select Serve as an ARP Proxy for the original destination's IP address for the gateway to reply to ARP requests sent to the original destination's IP address. Note that this does not apply to IP ranges or networks.
  8. Click Apply.

After you create manual rule, it is added to the NAT rules table under the Manual NAT Rules section.

To edit a rule:

Note for Access Policy rules - you can only edit the tracking options for automatically generated rules.

  1. Select a rule and click Edit.
  2. Edit the fields as necessary.
  3. Click Apply.

To delete a rule:

  1. Select a rule and click Delete.
  2. Click Yes in the confirmation message.

To enable or disable a rule:

  1. To disable a manually defined rule that you have added to the rule base, select the rule and click Disable.
  2. To enable a manually defined rule that you have previously disabled, select the rule and click Enable.

To change the rule order:

Note - You can only change the order of manually defined rules.

  1. Select the rule to move.
  2. Drag and drop it to the necessary position.

Advanced - Creating and Editing NAT Rules

In the Access Policy > NAT Manual Rules page you can create and edit custom NAT rules. If servers with NAT are configured the manual NAT rules do not apply to them. However, they do apply even when Hide NAT is activated.

Note - For the majority of cases, manual NAT rules are not necessary. There is no need to use this option unless you are an experienced network administrator. See the Access Policy > NAT Control page for the commonly used options.

These are the fields that manage the NAT rules.

Rule Base Field

Description

Original Source

The network object (a specified IP address) or network group object (a specified IP address range) that is the original source of the connections to translate.

Original Destination

The network object (a specified IP address) or network group object (a specified IP address range) that is the original destination of the connections to translate.

Original Service

The original service used for the connections to translate.

Translated Source

The network object or network group object that is the new source to which the original source is translated.

Translated Destination

The network object or network group object that is the new destination to which the original destination is translated.

Translated Service

The new service to which the original service is translated.

To create a new NAT rule:

  1. Click the arrow next to New.
  2. Click one of the available positioning options for the rule: On Top, On Bottom, Above Selected, or Under Selected.

    The Add Rule window opens. It shows the rule fields in two manners:

    • A rule summary sentence with default values.
    • A table with the rule base fields in a table.
  3. Click the links in the rule summary or the table cells to select network objects or options that fill out the rule base fields. See the descriptions above.
  4. In the Write a comment field, enter optional text that describes the rule. This is shown as a comment below the rule in NAT Manual Rules.
  5. Select the Hide multiple sources behind the translated source address/es if you want the original source to contain multiple IP addresses, IP ranges, networks, etc. and the translated source to be a single IP address.

    When this option is not selected, you can still use an IP range in the Original Source and a different IP range of the same size in the Translated Source. This rule does the IP address translation from one range to another, respectively (the first IP in the first range is translated to the first IP in the second range, etc.).

  6. Click Apply.

To edit a rule:

Note for Access Policy rules - you can only edit the tracking options for automatically generated rules.

  1. Select a rule and click Edit.
  2. Edit the fields as necessary.
  3. Click Apply.

To delete a rule:

  1. Select a rule and click Delete.
  2. Click Yes in the confirmation message.

To enable or disable a rule:

To change the rule order:

  1. Select the rule to move.
  2. Drag and drop it to the necessary position.

Note - You can only change the order of manually defined rules.

User Awareness Blade Control

In the User Awareness page you can turn the blade on or off and use the configuration wizard to configure sources to get user identities, for logging and configuration purposes.

User Awareness lets you configure the Check Point Appliance to show user based logs instead of IP address based logs and enforce access control for individual users and user groups.

To use User Awareness, you must configure identification methods to get information about users and user groups. After the gateway acquires the identity of a user, user-based rules can be enforced on the network traffic in the Access Policy.

User Awareness can use these sources to identify users:

AD Query

The Check Point Appliance registers to receive security event logs from the AD domain controllers when the security policy is installed. This requires administrator privileges for the AD server. When a user authenticates with AD credentials, these event logs are generated and are sent to the Security Gateway. The Check Point Appliance can then identify the user based on the AD security event log.

Browser-Based Authentication

Browser-Based Authentication uses a web interface to authenticate users before they can access network resources or the Internet. When users try to access a protected resource, they must log in to a web page to continue. This is a method that identifies locally defined users or users that were not successfully identified by other methods. You can configure the Browser-Based Authentication to appear for all traffic but because this method of identification is not seamless to the end users, it is commonly configured to appear when you access only specific network resources or the Internet to avoid the overhead required from end users when they identify themselves. For traffic that is not HTTP based, you can also configure that all unidentified are blocked from accessing the configured resources or Internet until they identify themselves first through the Browser-Based Authentication.

To turn on User Awareness on or off:

Select the On or Off option.

Note - When the blade is managed by Cloud Services, a lock icon is shown. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally are overridden in the next synchronization between the gateway and Cloud Services.

Use the User Awareness configuration wizard to enable and configure the blade. You can configure the basic details of the identity sources. After initial configuration, you can select the Active Directory Queries or Browser-Based Authentication checkboxes under Policy Configuration and click Configure to configure more advanced settings.

To configure User Awareness with the wizard:

  1. Click the configuration wizard link.

    The User Awareness Wizard opens.

  2. Select one or more user identification methods (see above for descriptions of methods) and click Next.

For Active Directory Queries:

If you have an existing Active Directory server, click Use existing Active Directory servers.

To define a new Active Directory server:

  1. Click Define a new Active Directory server.
  2. Enter the Domain, IP address, User name, Password, and User DN. For the User DN, click Discover for automatic discovery of the DN of the object that represents that user or enter the user DN manually.
  3. You can optionally select Use user groups from specific branch only if you want to use only part of the user database defined in the Active Directory. In Branch, enter the branch name.
  4. Click Next.

For Browser-Based Authentication:

  1. To block access for unauthenticated users when the portal is not available, select Block unauthenticated users when the captive portal is not applicable. This configuration option forces users using non-HTTP traffic to login first through Browser-Based Authentication.
  2. Select if unidentified users are redirected to captive portal for All traffic or Specific destinations. In most cases, all traffic is not used because it is not a seamless identification method.
  3. Under Specific destinations, select Internet or Selected network objects. If you select Selected network objects, select the objects from the list or create new objects.
  4. Click Finish.

To edit settings and configure portal customization for Browser-Based Authentication:

  1. Under Policy Configuration, select Browser-Based Authentication and click Configure.
  2. In the Identification tab, you can edit settings configured in the wizard if necessary.
  3. In the Customization tab, select the relevant options:
    • Users must agree to the following conditions - You can require that users agree to legal conditions. In the text box, enter the conditions that are shown to the user.
    • Upload - Lets you upload a company logo. Browse to the logo file and click Apply. The logo is shown in the Displayed Logo section.
    • Use Default - Uses the default logo.
  4. In the Advanced tab:
    • Portal Address - Keep the default setting which is the address the Captive Portal runs on the Check Point Appliance or enter a different portal address.
    • Session timeout - Sets for how long an authenticated user can access the network or Internet before they have to authenticate again.
    • Enable Unregistered guests login - Allow an unregistered, guest user to be identified in the logs by name and not only by IP address. An unregistered user is an unmanaged non-AD user, typically a partner or a contractor. To gain access, guests enter their company name, email address, phone number (optional), and name.

      Configure the Guest Session timeout. This is the number of minutes for which a guest user can access network resources. The default timeout is 180 minutes.

      Guest access is logged. The name of the guest shows in the User column of the Logs and Monitoring tab. The other details show in the full log entry.

    • Force quick cache timeout if user closes portal window - When the portal is closed, the user is logged out.
  5. Click Apply.

Note - This page is available from Access Policy > User Awareness Blade Control and Users & Objects > User Awareness.

QoS Blade Control

In the Access Policy > QoS Blade Control page you can activate QoS, define the QoS default policy, and add manual rules.

The QoS (bandwidth control) policy is a set of rules that lets you set bandwidth parameters to control the flow of communication to and from your network. These rules make sure that important traffic is prioritized so your business can work with minimum disruption when there is network congestion.

QoS can be activated on Internet connections and requires at least one Internet connection to be configured with the maximum download and/or upload speeds provided by your ISP. For more information about your download and upload speeds, contact your local ISP.

This page lets you configure a default simplified QoS policy. You can configure a more advanced policy in the Access Policy > QoS Policy page.

QoS policy applies to traffic over external interfaces only.

QoS

Select one of the options to set the Access Policy control level:

QoS default policy

Select the options for your default QoS policy. Alternatively, you can define your entire QoS policy through the Access Policy > QoS Policy page by clearing all of the checkboxes on this page.

To add a guaranteed service to the default policy:

  1. Select the Guarantee X% of the bandwidth to X traffic on all/selected services option and click the services link.

    The Edit guaranteed services window opens.

  2. Select Selected services.
  3. Click Select to show the full list of available services and select the relevant checkboxes.
  4. Click New if the existing list does not contain the service you need. For information on creating a new service, see the Users & Objects > Services page.
  5. Click Apply.

QoS Policy

In the Access Policy > QoS Policy page you can manage the QoS default policy and add manual rules if necessary.

The top of the page shows information about these limits:

You can view the QoS Policy Rule Base on this page. For each rule, you see these fields:

Rule Base Field

Description

No.

Rule number in the QoS policy.

Source

Network object that starts the connection.

Destination

Network object that completes the connection.

Service

Type of network service for which bandwidth is adjusted based on weight, limit, and guarantee.

Guarantee/Limit

Lets you set a percentage that limits the bandwidth rate of traffic and/or guarantees the minimum bandwidth for traffic. Another option is to mark the traffic as low latency. This guarantees that it is prioritized accordingly.

Weight

The unit used to divide available bandwidth when traffic exceeds the maximum bandwidth configured for the Internet connection. See below.

Track

The tracking and logging action that is done when traffic matches the rule.

Comment

An optional field that shows a comment if you entered one. For system generated rules of the default policy a Note is shown.

Weight

QoS divides available bandwidth across the QoS policy rules based on weight. The use of weights instead of specified percentages is a flexible way for the QoS engine to allocate bandwidth if the maximum bandwidth is exceeded based on the specified traffic at that point. This maximizes the usage of the bandwidth.

For example, in an organization, Web traffic is deemed three times as important as FTP traffic. Rules with these services are assigned weights of 30 and 10 respectively. If the lines are congested, QoS keeps the ratio of bandwidth allocated to Web traffic and FTP traffic at 3 to 1.

You can set options for the default policy or you can manually define rules for the QoS policy. If a rule does not use all of its bandwidth, the leftover bandwidth is divided with the remaining rules, based on their relative weights. In the above example, if only one Web and one FTP connection are active and they compete, the Web connection receives 75% (30/40) of the leftover bandwidth, and the FTP connection receives 25% (10/40) of the leftover bandwidth. If the Web connection closes, the FTP connection receives 100% of the bandwidth.

In the Weight field, enter a value that shows the services importance relative to other defined services. For example, if you enter a weight of 100 for a service and set 50 for a different service, the first service is allocated two times the amount of bandwidth as the second when lines are congested.

To create a QoS rule:

  1. Click the arrow next to New.
  2. Click one of the available positioning options for the rule: On Top, On Bottom, Above Selected, or Under Selected.

    The Add Rule window opens. It shows the rule fields in two manners:

    • A rule summary sentence with default values.
    • A table with the rule base fields in a table.
  3. Click the links in the rule summary or the table cells to select network objects or options that fill out the rule base fields. See the descriptions above.

    Note - You can select for a specified rule to have a specified guarantee and/or limit or be marked as low latency traffic. In case of the latter, there is a single maximum limit percentage for ALL low latency traffic which can be configured globally. See above.

  4. To match only for encrypted (VPN) traffic, select Match only for encrypted traffic. The Service column shows "encrypted" if selected.
  5. To limit the rule to a specified time range, select Apply only during this time and select the start and end times. Only connections that begin during this time range are inspected.
  6. DiffServ Mark is a way to mark connections so a third party handles it. To mark packets that are given priority on the public network based on their DSCP, select DiffServ Mark (1-63) and select a value. To use this option, your ISP or private WAN must support DiffServ. You can get the DSCP value from your ISP or private WAN administrator.
  7. In the Write a comment field, enter optional text that describes the rule. This is shown as a comment below the rule.
  8. Click Apply.

Note - You can drag and drop rules to change the order of rules in the QoS Rule Base.

To edit a rule:

Note - For Access Policy rules, you can only edit the tracking options for automatically generated rules.

  1. Select a rule and click Edit.
  2. Edit the fields as necessary.
  3. Click Apply.

To delete a rule:

  1. Select a rule and click Delete.
  2. Click Yes in the confirmation message.

To enable or disable a rule:

To change the rule order:

  1. Select the rule to move.
  2. Drag and drop it to the necessary position.

    Note - You can only change the order of manually defined rules.

SSL Inspection Policy

SSL Inspection

The Access Policy > SSL Inspection Policy page lets you enable and configure SSL inspection. When you turn on this setting, you allow different Software Blades that support SSL inspection to inspect traffic that is encrypted by the Secure Sockets Layer (SSL) protocol. To allow the gateway to inspect the secured connections, all hosts behind the gateway must install the gateway CA certificate.

Software Blades that support SSL traffic inspection:

Deploying SSL Inspection

To deploy SSL inspection:

  1. Select SSL Traffic Inspection.
  2. Click Download CA Certificate to download the gateway’s internal CA certificate.

    Note - The certificate is available for all users on the gateway. You do not need admin credentials. If you do not have admin credentials, connect from an internal or wireless network to http://my.filewall/ica or https://Firewall_IP/ica.

    You must install this certificate on every client behind the gateway.

To install the certificate:

  1. Manually copy the certificate file to your PC.
  2. In the Windows PC, click the file and follow the wizard instructions to add the certificate to the Trusted Root Certification Authorities repository.

    Note - This is not the default repository in the Certificate Import Wizard.

    Certificate installation varies according to the OS. To learn how to install the certificate in your machine, see your OS vendor instructions.

SSL inspection uses the existing internal CA by default. To use your own certificate, you must replace the internal CA.

To replace the internal CA:

  1. Go to Certificates > Internal Certificate.
  2. Click Replace Internal CA.

    The Upload a P12 Certificate window opens.

  3. Click Browse to select the certificate file.
  4. Enter the Certificate name and Password.
  5. Normally, the device suggests its own host name (when DDNS is configured) or its external IP address. If you have multiple Internet connections configured, in load sharing mode, you can manually enter an accessible IP address for this appliance. This is used by remote sites to access the internal CA and check for certificate revocation.
  6. Click Apply.

SSL Inspection Bypass Policy

You can select categories that are bypassed for all possible traffic regardless of its source and destination. To configure more advanced exceptions, go to the SSL Inspection Exceptions page.

To set the SSL inspection bypass policy:

To add other categories:

Note - The Bypass checkbox is selected by default.

  1. Click other categories and sites.

    The SSL Inspection Bypass Other window opens.

  2. Select the desired items.
  3. Optional - Click New to add URLs or custom applications.
  4. Click Apply.

HTTPS Categorization

As an alternative to SSL inspection, you can enable HTTPS categorization. HTTPS categorization allows filtering specified HTTPS URLs and applications without activating SSL traffic inspection.

For more information, see the HTTPS Inspection video on the Small Business Security video channel.

To enable HTTPS categorization:

  1. Select HTTPS Categorization.

    Note - When you enable HTTPS categorization, the SSL options are not available.

  2. Click Configure.

    The Access Policy > Firewall Blade Control page opens.

  3. Configure the settings for URL filtering.

    Note - HTTPS categorization only applies when the URL Filtering blade is turned on.

To disable SSL inspection and HTTPS categorization:

Select Off.

SSL Inspection Exceptions

On the SSL Inspection Exceptions page, you can define manual rules to configure exceptions to bypass SSL inspection for specific traffic. You can configure more advanced exceptions with specific scope, category, and tracking options.

To add bypass exceptions:

  1. Click New.
  2. For each exception, enter:
    • Source
    • Destination
    • Category/Custom Application
    • Track

SSL Inspection Advanced

To enable SSL web traffic inspection, you must first establish trust between the clients and the gateway.

An important part of the HTTPS inspection support is the validation of the server's certificate. This requires validating the signing CA of the server certificates.

On the SSL Inspection Advanced page, you can manage trusted certificate authorities. The gateway has a built-in predefined list of trusted CAs, based on the Mozilla/LibCurl Trusted CA list. Only a server certificate signed by one of those CAs is recognized as a valid certificate. The table shows the list of trusted CAs.

Trusted CA types:

To manually add a CA to the trusted CA list:

  1. Click Add.

    The Add a Trusted CA window opens.

  2. Click Browse to select a trusted CA file.
  3. Optional - Click Preview to view the CA.
  4. Click Apply.

To delete a trusted CA:

  1. Click the icon next to the CA.
  2. Click Delete.

    Note - You can only delete a CA that was added by a user.

To disable/enable a trusted CA:

  1. Click the icon next to the CA.
  2. Click Disable/Enable.