Managing the Access Policy

In This Section: Firewall Blade Control Firewall Policy Firewall Servers Firewall NAT Advanced - Creating and Editing NAT Rules User Awareness Blade Control QoS Blade Control QoS Policy SSL Inspection Policy SSL Inspection Exceptions SSL Inspection Advanced

This section describes how to set up and manage your Check Point Appliance access policy.

Firewall Blade Control

In the Access Policy > Firewall Blade Control page you can set the default Access Policy control level, set the default applications and URLs to block and allow secure browsing, and configure User Awareness.

The Access Policy is a set of rules that defines the security requirements for your appliance for incoming, internal, and outgoing traffic.

The Access Policy includes:

• Firewall Policy - Defines how to inspect packets.
• Applications & URL Filtering - Defines how to control Internet browsing and application usage.

The Access Policy > Firewall Blade Control page lets you easily define the default policy for your organization. In addition, you can define and view the rule based policy in the Access Policy > Firewall Policy page. Configurations in the Firewall Blade Control page are shown as automatically generated system rules at the bottom of the Rule Base. We recommend you use the Access Policy > Firewall Policy page to define manual rules that are exceptions to the default policy defined in this page.

The Access Policy > Firewall Blade Control page defines the default policy for incoming, internal, and outgoing traffic to and from your organization. In addition, the Access Policy > Firewall Servers page lets you easily define the default access policy for specific servers within your organization and automatically generated system rules are also defined.

Firewall Policy

Select one of these options to set the default Access Policy:

• Strict
  • Blocks all traffic, in all directions, by default. In this mode, your policy can only be defined through the Servers page and by manually defining access policy rules in the Access Policy > Firewall Policy page.
• Standard
  • Allows outgoing traffic to the Internet on configured services. You can click the services link to configure all or only specified services that are allowed.
  • Allows traffic between internal networks and trusted wireless networks (in applicable devices).
  • Blocks incoming unencrypted traffic from the Internet (traffic from outside your organization to it).

    The Standard policy option is the default level and is recommended for most cases. Keep it unless you have a specified need for a higher or lower security level.

• Off
  • Allows all traffic. When the firewall is deactivated, your network is not secured. Manually defined rules are not applied.

Note - When the blade is managed by Cloud Services, a lock icon shows. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally are overridden in the next synchronization between the gateway and Cloud Services.

To set specified outgoing services in a standard Firewall policy:

1. When the Access Policy control level is set to Standard, click all services.
2. Select Block all outgoing services except the following.
3. Select which services to allow.
4. To allow all services, select Allow all outgoing services.
5. Click Apply.

To manually configure Access Policy rules:

Go to the Access Policy > Policy page.

In the Access Policy > Blade Control page:

• When no manual rules are configured, you can click the Firewall Policy link to add manual rules to the Firewall policy.
• When manual rules are configured, it shows the number of rules that are added. Click manual rules to see them in the Access Policy.

Click Servers to see how many servers are defined in the appliance. If no servers are configured, click Add a server to add one. A server object is a defined IP address to which you can also define a specific access policy and also incoming NAT rules if necessary. For example, Port forwarding NAT. Automatically generated access rules to servers are created above the default policy rules and can be seen in the Access Policy > Firewall Policy page. You can create exception rules for servers as well in the Access Policy > Firewall Policy page.

Applications & URL Filtering

The Applications & URL Filtering section lets you define how to handle applications and URL categories on traffic from your organization to the Internet.

Applications and URL Filtering are service based features and require Internet connectivity to download the latest signature package for new applications and to contact the Check Point cloud for URL categorization. This page lets you define the default policy for Applications & URL Filtering control. It is recommended by default to block browsing to security risk categories and applications. You can also configure additional applications and categories to block by default according to your company's policy. In addition, you can also select to limit bandwidth consuming applications for better bandwidth control.

In addition to the On and Off buttons, you can select the URL Filtering Only mode. When you select this option, only URLs and custom applications defined by URLs are blocked. Predefined applications initially installed on your computer or added with automatic updates are not blocked.

When you select the URL Filtering Only mode:

• Rules that contain URLs are enforced. Any applications inside rules are not enforced.
• Rules that contain custom URLs and custom applications are enforced.
• Rules that contain application groups with both predefined applications and URLs are enforced only for the URLs and custom applications. They are not enforced for the predefined applications.
• Applications are not updated through the automatic updates.

The default policy defined here is viewed as automatically generated rules in the bottom of the Outgoing traffic Rule Base in the Access Policy > Policy page.

Select one or more of these options:

• Block security risk categories - Lets you block applications and URLs that can be a security risk and are categorized as spyware, phishing, botnet, spam, anonymizer, or hacking. This option is selected by default.
• Block inappropriate content - Lets you control content by blocking Internet access to websites with inappropriate content such as sex, violence, weapons, gambling, and alcohol.
• Block file sharing applications - Lets you block file-sharing from usually illegal sources using torrents and peer-to-peer applications.
• Block other undesired applications - Lets you manually add and block applications or categories of URLs to a group of undesired applications. You can also create a new URL or application if it is not in the database. Click this option to manage your basic Application & URL Filtering policy that sets what to block. For a more granular policy, go to the Access Policy > Firewall Blade Control page.
• Limit bandwidth consuming applications - Applications that use a lot of bandwidth can decrease performance necessary for important business applications. This option gives accelerated QoS (bandwidth control) for applications. When you select this option, P2P file sharing, media sharing, and media streams are selected by default but you can edit the group to add applications or categories that you think should have a limit with regards to the amount of bandwidth they consume. Note that it is very important to indicate the maximum bandwidth limit according to your Internet connection upload and download bandwidth. Consult your ISP for this information. For the limit to be effective, it has to be lower than the actual bandwidth supplied by your ISP. Upload and download bandwidths are usually not the same.

Updates

As a service based feature, this page also shows you the update status:

• Up to date
• Updated service unreachable - This usually results from a loss in Internet connectivity. You must check your Internet connection in the Device > Internet page and contact your ISP if the problem persists.
• Not up to date - A new update package is ready to be downloaded but the scheduled hour for updates has not occurred yet. Updates are usually scheduled for off-peak hours (weekends or nights).

To schedule updates:

1. Hover over the icon next to the update status and select the Schedule Updates link.
2. Select the blades for which to schedule updates. You must manually update the rest of the blades when new updates packages are available and a not up to date message is shown in the status bar at the bottom of the WebUI application.
3. Select a Recurrence time frame:
   • Hourly - Enter the time interval for Every x hours.
   • Daily - Select the Time of day.
   • Weekly - Select the Day of week and Time of day.
   • Monthly - Select the Day of month and Time of day.
4. Click Apply.

User Awareness

User Awareness lets you configure the Check Point Appliance to enforce access control for individual users and groups and show user-based logs instead of IP address based logs.

Initially, click Configure to set up how User Awareness recognizes users. When this is configured, you can see users in logs and also configure user based Access Policy rules. User recognition can be done seamlessly by the appliance using your organization's AD server. The user database and authentication are all done through the AD server. When a user logs in to the AD server, the appliance is notified. Users from the AD server can be used as the Source in Access Policy rules.

Alternatively or in addition, users can be defined locally in the Users & Objects > Users page with a password. For the appliance to recognize the traffic of those users, you must configure Browser-Based Authentication and the specific destinations to which they must be identified first before accessing. Normally, Browser-Based Authentication is not used for all traffic, but rather for specific destinations because it requires manual login by the end user through a dedicated portal.

If User Awareness has been configured, the Enable User Awareness checkbox is shown. To disable User Awareness, clear the checkbox. To make changes to the configuration, click Edit settings.

At any time, you can also click Active Directory servers to define an AD server that the gateway can work with. Creating an AD server is also available in the Edit settings wizard.

Tracking

Select which traffic to log:

For blocked traffic

• All
• Outgoing
• Incoming and internal

For allowed traffic

• All
• Outgoing
• Incoming and internal

These settings apply to all the incoming and outgoing traffic blocked or accepted by the default Firewall and Applications & URL Filtering automatically generated rules.

These settings do not apply to automatically generated rules for VPN, DMZ, and wireless networks.

More Information

The Check Point Application Database contains more than 4,500 applications and about 96 million categorized URLs.

Each application has a description, a category, additional categories, and a risk level. You can include applications and categories in your Application Control and URL Filtering rules. If your appliance is licensed for the Application Control & URL Filtering blades, the database is updated regularly with new applications, categories and social networking widgets. This lets you easily create and maintain an up to date policy.

You can see the Application Database from:

• The Block other undesired applications link.
• The Applications & URLs link - This opens the Users & Objects > Applications & URLs page.
• The Check Point AppWiki link - The AppWiki is an easy to use tool that lets you search and filter the Application and URL Filtering Database.

Firewall Policy

In the Access Policy > Firewall Policy page you can manage the Firewall Access Policy Rule Base. You can create, edit, delete, enable or disable rules. In the Access Policy > Firewall Blade Control page you determine the basic firewall policy mode.

In Standard mode, this page shows you both automatically generated rules based on the configuration of your default policy and manually defined rules as exceptions to this default policy.

In Strict mode, all access is blocked by default and this page is the only way to configure access rules for your organization.

The Rule Base is divided into two sections. Each of the two sections represent a different security policy - how your organization browses to the Internet (the world outside your organization) and the security policy to access your organization's resources (both from within and from outside your organization). At the top of the page there are three links that let you see both or only one of the sections.

• Outgoing access to the Internet - For all outgoing traffic rules. In this Rule Base you determine the policy to access the Internet outside your organization. Commonly the policy here is to allow the basic traffic, but you can block applications and URLs based on your company's discretion. In the Access Policy > Firewall Blade Control page you can configure the default policy to block applications and URLs. This page lets you add manual rules as exceptions to the default policy. You can also customize messages that are shown to users for specified websites when they are blocked or accepted by the Rule Base (see below). You can also use an Ask action for applications or URLs that lets the end user determine whether browsing is for work related purposes or not. For example, we recommend you add a rule that asks the users before browsing to uncategorized URLs. Such a rule can disrupt possible bot attacks.
• Incoming, internal and VPN traffic - For all incoming, internal and VPN traffic rules. In this Rule Base, you determine the policy to access your organization's resources. All internal networks, wireless networks, and external VPN sites are considered part of your organization and traffic to them is inspected in this Rule Base. Commonly the policy here is to block traffic from outside your organization into it and allow traffic within your organization.

  In Standard mode, you can configure in various pages a more granular default policy:

  • Traffic from specific sources into your organization can be blocked or accepted by default. This configuration can be found in each specific sources' edit mode:
    • External VPN sites - Configure default access from/to VPN > Site to Site Blade Control page.
    • Remote Access VPN users - Configure default access from VPN > Remote Access Blade Control page.
    • Wireless networks - Configure default access for each wireless network from the Access tab in each wireless network's edit window in the Device > Wireless Network page.
    • DMZ network - Configure default access from the DMZ object's edit window in the Device > Local Network page.
  • Traffic to defined server objects as configured in each server's edit window in the Access Policy > Firewall Servers page.

  This page lets you add manual rules as exceptions to the default policy. In Strict mode, the default policy blocks everything and you configure access only through manual rules.

Within each section there are these sections:

• Manual Rules - Rules that you manually create.
• Auto Generated Rules - Rules that the system determines based on the initial Firewall Policy mode (Strict or Standard) as explained above. These rules are also influenced by other elements in the system. For example, when you add a server, a corresponding rule is added to the Incoming, internal and VPN traffic section.

These are the fields that manage the rules for the Firewall Access Policy.

Rule Base Field	Description
No.	Rule number in the Firewall Rule Base.
Source	IP address, network object, or user group that initiates the connection.
Destination	IP address or network object that is the target of the connection.
Application	Applications or web sites that are accepted or blocked. You can filter the list by common applications, categories, custom defined applications, URLs or groups. For more information, see Managing Applications & URLs. This field is only shown in the Outgoing access to the Internet section.
Service	Type of network service that is accepted or blocked.
Action	Firewall action that is done when traffic matches the rule. For outgoing traffic rules, you can use the Customize messages option to configure "Ask" or "Inform" actions in addition to the regular Block or Accept actions. The messages shown can be set for these action types: Accept and Inform, Block and Inform, or Ask. Ask action lets the end user decide if this traffic is for work purposes or personal. See the Customize messages section below. Users are redirected to a portal that shows a message or question. If a time range is set for the rule, a clock icon is shown.
Log	The tracking and logging action that is done when traffic matches the rule.
Comment / Auto generated rule	Details shown immediately below the above fields for: Comments you enter when you create a rule. Rules that the system automatically generates. You can click the object name link in the comment to open its configuration tab.

The "Ask" action

The outgoing Rule Base gives the option to set an Ask action instead of just allow or block for browser based applications. There are several commonly used cases where this is helpful:

• This action can be used for traffic that is normally not allowed in your organization, but you do want it to be available for work-related purposes. End users are asked if they need to browse for work-related purposes and can continue without requiring the administrator to make changes to the access policy for this single event. For example, traffic to Facebook is generally blocked but you want your HR department to be able to access it for work-related purposes.
• This action for traffic to uncategorized URLs can also give security against malware that managed to be installed inside your organization. Such malware is blocked by the Ask action.

To create a new manually defined access rule:

1. Click the arrow next to New. When the page shows both Rule Bases, click New in the appropriate table.
2. Click one of the available positioning options for the rule: On Top, On Bottom, Above Selected, or Under Selected.

   The Add Rule window opens. It shows the rule fields in two ways:

   • A rule summary sentence with default values.
   • A table with the rule base fields in a table.
3. Click the links in the rule summary or the table cells to select network objects or options that fill out the rule base fields. See the descriptions above.

   Note - The Application field is relevant only for outgoing rules.

   In the Source field, you can optionally select between entering a manual IP address (network), a network object, or user group (to configure a user based policy, make sure the User Awareness blade is activated). Users can be defined locally on the appliance or externally in an Active Directory. For more details, see the Access Policy > User Awareness Blade Control page.

4. In the Write a comment field, enter optional text that describes the rule. This is shown as a comment below the rule in the Access Policy.
5. To limit the rule to a certain time range, select Apply only during this time and select the start and end times.
6. In outgoing rules, to limit the download traffic rate, select Limit download traffic of applications to and enter the Kpbs rate.
7. In outgoing rules, to limit the upload traffic rate, select Limit upload traffic of applications to and enter the Kpbs rate.
8. In incoming rules, to match only for encrypted VPN traffic, select Match only for encrypted traffic.
9. Click Apply.

   The rule is added to the outgoing or incoming section of the Access Policy.

To clone a rule:

Clone a rule to add a rule that is almost the same as the one that already exists.

1. Select a rule and click Clone.
2. Edit the fields as necessary.
3. Click Apply.

To edit a rule:

Note - For Access Policy rules, you can only edit the tracking options for automatically generated rules.

1. Select a rule and click Edit.
2. Edit the fields as necessary.
3. Click Apply.

To delete a rule:

1. Select a rule and click Delete.
2. Click Yes in the confirmation message.

To enable or disable a rule:

• To disable a manually defined rule that you have added to the rule base, select the rule and click Disable.
• To enable a manually defined rule that you previously disabled, select the rule and click Enable.

To change the rule order:

1. Select the rule to move.
2. Drag and drop it to the necessary position.

   Note - You can only change the order of manually defined rules.

Customize messages

You can customize messages to let the Security Gateway communicate with users. This helps users understand that some websites are against the company's security policy. It also tells users about the changing Internet policy for websites and applications. When you configure such messages, the user's Internet browser shows the messages in a new window when traffic is matched on a rule using one of the message related actions.

These are the Action options and their related notifications:

Rule Base action	Notifications
Accept and Inform	Shows an informative message to users. Users can continue to the application or cancel the request.
Block and Inform	Shows a message to users and blocks the application request.
Ask	Shows a message to users and asks them if they want to continue with the request or not. See above for more details.

To customize messages:

1. Click Customize messages in the Outgoing access to the Internet section.
2. Configure the options in each of these tabs:
   • Accept and Inform
   • Block and Inform
   • Ask
3. Configure the applicable fields for each of the notifications:
   • Title - Keep the default or enter a different title.
   • Subject - Keep the default or enter a different subject.
   • Body - Keep the default or enter different body text. You can click Optional keywords for a list of keywords that you can add in the body text to give the user more information.
   • Ignore text (only for Ask) - This is the confirmation message for the Ask user message. Keep the default text or enter different text
   • User must enter a reason (only for Ask) - Select this checkbox if users must enter an explanation for their activity. The user message contains a text box for entering the reason.
   • Fallback action - Select an alternative action (Block or Accept) for when the notification cannot be shown in the browser or application that caused the notification, most notably in non-web applications. If it is determined that the notification cannot be shown in the browser or application, the behavior is:
     • If the Fallback action is Accept - The user can access the website or application.
     • If the Fallback action is Block - The Security Gateway tries to show the notification in the application that caused the notification. If it cannot, the website or application is blocked, and the user does not see a notification.
   • Frequency - You can set the number of times that users get notifications for accessing applications that are not permitted by the policy. The options are:
     • Once a day
     • Once a week
     • Once a month

     For example, in a rule that contains in the Application - Social Networking category, if you select Once a day as the frequency, a user who accesses Facebook multiple times get one notification.

   • Redirect the user to URL - You can redirect the user to an external portal, not on the gateway. In the URL field, enter the URL for the external portal. The specified URL can be an external system. It gets authentications credentials from the user, such as a user name or password. It sends this information to the gateway. Only applicable for the Block and Inform notification.
4. Click the Customize tab to customize a logo for all portals shown by the appliance (Hotspot and captive portal used by User Awareness). Click Upload, browse to the logo file and click Apply. If necessary, you can revert to the default logo by clicking Use Default.
5. Click Apply.

Firewall Servers

In the Servers page you can see a list of servers defined in your system. You can create, edit, delete or search for server objects. Server objects are network objects that are defined with their access and NAT (if applicable) policies.

New server objects are created using a wizard:

• Step 1 - Select the server type.
• Step 2 - Define the server's details.
• Step 3 - Set up the server's access policy properties.
• Step 4 - NAT configuration (if relevant)

After you create a server, one or more corresponding rules are automatically generated and added to the Access Policy automatically and shown in the Access Policy > Firewall Policy page. The comment in the rule shows the object name. You can click the object name link in the comment to open the Access tab in the Server Properties.

An easier way to define server objects is by detecting them in the Home > Active Devices page and saving them as servers. For example, this option automatically detects the MAC address of the server making configuration easier.

During the wizard:

• Click Cancel to quit the wizard.
• Click Next to move to the next page of the wizard.
• Click Back to go to an earlier page of the wizard.
• Click Finish to complete the wizard.

To create a new object:

Click New. The New Server Wizard opens and shows Step1: Server Type.

Step 1: Server Type

1. Select the server type. There are built-in types for common servers. You can manually define a server that listens to any configured ports and you can also change a common server type's ports.
2. When selecting built-in types, you can optionally click Edit to edit the protocol ports.
3. When you select Other Server:
   • Select the Protocol (TCP, UDP, or both).
   • Enter the TCP/UDP Ports (enter port numbers and/or port ranges separated by commas, for example, 1,3,5-8,15).

Step 2: Server Definitions

1. Enter a Name, IP address, and Comments (optional).
2. Select the options that apply to the server. For more information see Users & Objects > Network Objects.
   • Allow DNS server to resolve this object name - When the gateway is the DNS server for your internal networks the name of the server/network object will be translated to its IP address if this option is selected.
   • Exclude from DHCP service - The internal DHCP service will not distribute the configured IP address of this server/network object to anyone.
     • Reserve IP address in DHCP service for MAC - The internal DHCP service will distribute the configured IP address only to this server/network object according to its MAC address.
     • Enter the MAC address - This is required for IP reservation. When you create the object from the Active Devices page, the MAC address is detected automatically.

Step 3: Access

1. Select the zones from which the server is accessible:
   • All zones (including the Internet) - Select this option to create a server that anyone from outside the organization can access. This option requires configuring how the server is accessible through NAT (in the next step).
   • Only trusted zones (my organization) - Select the applicable checkboxes. You can override these settings by adding manual access rules.
     • LAN - Physical internal networks.
     • Remote Access VPN users - Users that connect from their homes/mobile devices to the office.
     • Secure wireless networks - Password protected networks, not including guest networks.
     • DMZ - The network physically connected to the DMZ port when it is not used for a secondary Internet connection.
     • Remote VPN sites - Networks defined behind gateways to remote VPN sites.
2. If you do not want the server to be accessible to pings, clear the Allow access to server in the ICMP (ping) checkbox.
3. Select the logging policy of traffic to the server:
   • Log blocked connections
   • Log accepted connections

Step 4: NAT (when server is accessible from the Internet)

Select the relevant option:

• The server's configured IP address (x.x.x.x) is public - This option is only relevant if the Hide internal networks behind the Gateway's external IP address checkbox in the Access Policy > NAT Control page is cleared (see above for details). It means there are no NAT rules on the server.

When you complete the wizard, the server is added to the list of servers on the page and the automatically generated access rules are added to the Access Policy > Firewall Policy Rule Base.

Note - This page is available from the Firewall and NAT sections on the Access Policy tab.

Firewall NAT

In the Access Policy > Firewall NAT page you can configure NAT for outgoing traffic and see how many servers are defined in the system. Servers are defined in the Access Policy > Servers page and are network objects configured with their access and NAT settings. This lets you configure servers that are accessible from the Internet even if they do not have a routable IP address. You can also configure servers with NAT settings from this page.

Note - 700 and 910 appliances support both IPv4 and IPv6 addresses.

To disable NAT for outgoing traffic (hide NAT):

By default, NAT is configured for outgoing traffic. If it is necessary to disable NAT, make sure Hide internal networks behind the Gateway's external IP address is set to OFF.

Important - In most cases, if you turn off the hide NAT feature, you cause Internet connectivity issues. If your appliance is the gateway of your office to the Internet DO NOT set to off without consulting with networking experts.

To configure a server that is routable from the Internet (server with NAT):

1. Click New Server (forwarding rule).
2. See the Access Policy > Servers page for instructions on how to use the server wizard.
3. In the Access step of the server wizard, select one of the options when asked from where this server is accessible.
4. In the NAT step of the server wizard, select the relevant option:
   • The gateway's external (public) IP address - This configures access through Port Forwarding. The appliance has an external routable IP address which is configured in its Internet connections (on the Device > Internet page). Traffic to the appliance to the ports configured for the server object in step 1 of the wizard is forwarded to the server. This allows traffic from the Internet into the organization (public servers) while still using one external routable IP address.
   • A different (public) IP address - This configures access through Static NAT. If a routable IP address was purchased for the server, enter it in the address field. While the rest of the internal network is hidden behind the gateway's external IP address, this specified server will use its own accessible IP address. Traffic to the specified IP address on relevant ports as configured in step 1 of the wizard will be forwarded to this server.
   • The server's configured IP address (x.x.x.x) is public - This option is only relevant if the Hide internal networks behind the Gateway's external IP address checkbox in the Access Policy > NAT Control page is cleared (see above for details). It means there are no NAT rules on the server.
5. When you have multiple internal servers that use the same port, select Redirect from port and enter a different port number that is used when you access this server from the Internet. Traffic to the server on the port you entered is forwarded to the server's port.
6. By default, the Force translated traffic to return to the gateway checkbox is selected. This allows access from internal networks to external IP addresses of servers through the local switch. The source is translated to "This Gateway". When the checkbox is cleared, the source is "Any" and there is no access from the internal network to external IP addresses through the switch.
7. Click Finish.

After you create a server with NAT settings, one or more corresponding rules are automatically generated and added to the NAT rules under the Auto Generated Forwarding Rules section. Click View NAT rules to see them. The comment in the rule shows the server object name. You can click the object name link to open the Access tab of the server's properties or click the Servers page link to go to the Firewall Servers page.

Advanced - Manual NAT Rules

Note - For the majority of cases, manual NAT rules are not necessary. There is no need to use this option unless you are an experienced network administrator.

A more advanced way to configure address translation is by defining manual NAT rules. If servers with NAT are configured, the manual NAT rules do not apply to them. However, they apply even when Hide NAT is activated.

These are the fields that manage the NAT rules.

Rule Base Field	Description
Original Source	The network object (a specified IP address) or network group object (a specified IP address range) that is the original source of the connections to translate.
Original Destination	The network object (a specified IP address) or network group object (a specified IP address range) that is the original destination of the connections to translate.
Original Service	The original service used for the connections to translate.
Translated Source	The network object or network group object that is the new source to which the original source is translated.
Translated Destination	The network object or network group object that is the new destination to which the original destination is translated.
Translated Service	The new service to which the original service is translated.

To create a new NAT rule:

1. If the NAT rules table is not shown on the page, click the View NAT rules link.
2. Click the arrow next to New.
3. Click one of the available positioning options for the rule: On Top, On Bottom, Above Selected, or Under Selected.

   The Add Manual NAT Rule window opens. It shows the rule fields in two manners:

   • A rule summary sentence with default values.
   • A table with the Rule Base fields in a table.
4. Click the links in the rule summary or the table cells to select network objects or options that fill out the Rule Base fields. See the descriptions above.
5. In the Write a comment field, enter optional text that describes the rule. This is shown as a comment below the rule in NAT Manual Rules.
6. Select the Hide multiple sources behind the translated source addresses if you want the original source to contain multiple IP addresses, IP ranges, networks, etc. and the translated source to be a single IP address.

   When this option is not selected, you can still use an IP range in the Original Source and a different IP range of the same size in the Translated Source. This rule does the IP address translation from one range to another, respectively (the first IP in the first range is translated to the first IP in the second range, and so on).

7. Select Serve as an ARP Proxy for the original destination's IP address for the gateway to reply to ARP requests sent to the original destination's IP address. Note that this does not apply to IP ranges or networks.
8. Click Apply.

After you create manual rule, it is added to the NAT rules table under the Manual NAT Rules section.

To edit a rule:

Note for Access Policy rules - you can only edit the tracking options for automatically generated rules.

1. Select a rule and click Edit.
2. Edit the fields as necessary.
3. Click Apply.

To delete a rule:

1. Select a rule and click Delete.
2. Click Yes in the confirmation message.

To enable or disable a rule:

1. To disable a manually defined rule that you have added to the rule base, select the rule and click Disable.
2. To enable a manually defined rule that you have previously disabled, select the rule and click Enable.

To change the rule order:

Note - You can only change the order of manually defined rules.

1. Select the rule to move.
2. Drag and drop it to the necessary position.

Advanced - Creating and Editing NAT Rules

In the Access Policy > NAT Manual Rules page you can create and edit custom NAT rules. If servers with NAT are configured the manual NAT rules do not apply to them. However, they do apply even when Hide NAT is activated.

Note - For the majority of cases, manual NAT rules are not necessary. There is no need to use this option unless you are an experienced network administrator. See the Access Policy > NAT Control page for the commonly used options.

These are the fields that manage the NAT rules.

Rule Base Field	Description
Original Source	The network object (a specified IP address) or network group object (a specified IP address range) that is the original source of the connections to translate.
Original Destination	The network object (a specified IP address) or network group object (a specified IP address range) that is the original destination of the connections to translate.
Original Service	The original service used for the connections to translate.
Translated Source	The network object or network group object that is the new source to which the original source is translated.
Translated Destination	The network object or network group object that is the new destination to which the original destination is translated.
Translated Service	The new service to which the original service is translated.

To create a new NAT rule:

1. Click the arrow next to New.
2. Click one of the available positioning options for the rule: On Top, On Bottom, Above Selected, or Under Selected.

   The Add Rule window opens. It shows the rule fields in two manners:

   • A rule summary sentence with default values.
   • A table with the rule base fields in a table.
3. Click the links in the rule summary or the table cells to select network objects or options that fill out the rule base fields. See the descriptions above.
4. In the Write a comment field, enter optional text that describes the rule. This is shown as a comment below the rule in NAT Manual Rules.
5. Select the Hide multiple sources behind the translated source address/es if you want the original source to contain multiple IP addresses, IP ranges, networks, etc. and the translated source to be a single IP address.

   When this option is not selected, you can still use an IP range in the Original Source and a different IP range of the same size in the Translated Source. This rule does the IP address translation from one range to another, respectively (the first IP in the first range is translated to the first IP in the second range, etc.).

6. Click Apply.

To edit a rule:

Note for Access Policy rules - you can only edit the tracking options for automatically generated rules.

1. Select a rule and click Edit.
2. Edit the fields as necessary.
3. Click Apply.

To delete a rule:

1. Select a rule and click Delete.
2. Click Yes in the confirmation message.

To enable or disable a rule:

• To disable a manually defined rule that you have added to the rule base, select the rule and click Disable.
• To enable a manually defined rule that you have previously disabled, select the rule and click Enable.

To change the rule order:

1. Select the rule to move.
2. Drag and drop it to the necessary position.

Note - You can only change the order of manually defined rules.

User Awareness Blade Control

In the User Awareness page you can turn the blade on or off and use the configuration wizard to configure sources to get user identities, for logging and configuration purposes.

User Awareness lets you configure the Check Point Appliance to show user based logs instead of IP address based logs and enforce access control for individual users and user groups.

To use User Awareness, you must configure identification methods to get information about users and user groups. After the gateway acquires the identity of a user, user-based rules can be enforced on the network traffic in the Access Policy.

User Awareness can use these sources to identify users:

• Active Directory Queries - Seamlessly queries the AD (Active Directory) servers to get user information.
• Browser-Based Authentication - Uses a portal to authenticate either locally defined users or as a backup to other identification methods.

AD Query

The Check Point Appliance registers to receive security event logs from the AD domain controllers when the security policy is installed. This requires administrator privileges for the AD server. When a user authenticates with AD credentials, these event logs are generated and are sent to the Security Gateway. The Check Point Appliance can then identify the user based on the AD security event log.

Browser-Based Authentication

Browser-Based Authentication uses a web interface to authenticate users before they can access network resources or the Internet. When users try to access a protected resource, they must log in to a web page to continue. This is a method that identifies locally defined users or users that were not successfully identified by other methods. You can configure the Browser-Based Authentication to appear for all traffic but because this method of identification is not seamless to the end users, it is commonly configured to appear when you access only specific network resources or the Internet to avoid the overhead required from end users when they identify themselves. For traffic that is not HTTP based, you can also configure that all unidentified are blocked from accessing the configured resources or Internet until they identify themselves first through the Browser-Based Authentication.

To turn on User Awareness on or off:

Select the On or Off option.

Note - When the blade is managed by Cloud Services, a lock icon is shown. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally are overridden in the next synchronization between the gateway and Cloud Services.

Use the User Awareness configuration wizard to enable and configure the blade. You can configure the basic details of the identity sources. After initial configuration, you can select the Active Directory Queries or Browser-Based Authentication checkboxes under Policy Configuration and click Configure to configure more advanced settings.

To configure User Awareness with the wizard:

1. Click the configuration wizard link.

   The User Awareness Wizard opens.

2. Select one or more user identification methods (see above for descriptions of methods) and click Next.

For Active Directory Queries:

If you have an existing Active Directory server, click Use existing Active Directory servers.

To define a new Active Directory server:

1. Click Define a new Active Directory server.
2. Enter the Domain, IP address, User name, Password, and User DN. For the User DN, click Discover for automatic discovery of the DN of the object that represents that user or enter the user DN manually.
3. You can optionally select Use user groups from specific branch only if you want to use only part of the user database defined in the Active Directory. In Branch, enter the branch name.
4. Click Next.

For Browser-Based Authentication:

1. To block access for unauthenticated users when the portal is not available, select Block unauthenticated users when the captive portal is not applicable. This configuration option forces users using non-HTTP traffic to login first through Browser-Based Authentication.
2. Select if unidentified users are redirected to captive portal for All traffic or Specific destinations. In most cases, all traffic is not used because it is not a seamless identification method.
3. Under Specific destinations, select Internet or Selected network objects. If you select Selected network objects, select the objects from the list or create new objects.
4. Click Finish.

To edit settings and configure portal customization for Browser-Based Authentication:

1. Under Policy Configuration, select Browser-Based Authentication and click Configure.
2. In the Identification tab, you can edit settings configured in the wizard if necessary.
3. In the Customization tab, select the relevant options:
   • Users must agree to the following conditions - You can require that users agree to legal conditions. In the text box, enter the conditions that are shown to the user.
   • Upload - Lets you upload a company logo. Browse to the logo file and click Apply. The logo is shown in the Displayed Logo section.
   • Use Default - Uses the default logo.
4. In the Advanced tab:
   • Portal Address - Keep the default setting which is the address the Captive Portal runs on the Check Point Appliance or enter a different portal address.
   • Session timeout - Sets for how long an authenticated user can access the network or Internet before they have to authenticate again.
   • Enable Unregistered guests login - Allow an unregistered, guest user to be identified in the logs by name and not only by IP address. An unregistered user is an unmanaged non-AD user, typically a partner or a contractor. To gain access, guests enter their company name, email address, phone number (optional), and name.

     Configure the Guest Session timeout. This is the number of minutes for which a guest user can access network resources. The default timeout is 180 minutes.

     Guest access is logged. The name of the guest shows in the User column of the Logs and Monitoring tab. The other details show in the full log entry.

   • Force quick cache timeout if user closes portal window - When the portal is closed, the user is logged out.
5. Click Apply.

Note - This page is available from Access Policy > User Awareness Blade Control and Users & Objects > User Awareness.

QoS Blade Control

In the Access Policy > QoS Blade Control page you can activate QoS, define the QoS default policy, and add manual rules.

The QoS (bandwidth control) policy is a set of rules that lets you set bandwidth parameters to control the flow of communication to and from your network. These rules make sure that important traffic is prioritized so your business can work with minimum disruption when there is network congestion.

QoS can be activated on Internet connections and requires at least one Internet connection to be configured with the maximum download and/or upload speeds provided by your ISP. For more information about your download and upload speeds, contact your local ISP.

This page lets you configure a default simplified QoS policy. You can configure a more advanced policy in the Access Policy > QoS Policy page.

QoS policy applies to traffic over external interfaces only.

QoS

Select one of the options to set the Access Policy control level:

• On - Enforces the default QoS policy.
• Off - QoS default policy is not enforced.

  Note - When the blade is managed by Cloud Services, a lock icon is shown. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally will be overridden in the next synchronization between the gateway and Cloud Services.

QoS default policy

Select the options for your default QoS policy. Alternatively, you can define your entire QoS policy through the Access Policy > QoS Policy page by clearing all of the checkboxes on this page.

• Ensure low latency priority for Delay Sensitive Services (e.g. VoIP) - Select this option to make sure that traffic that is very sensitive to delay is prioritized. For example, IP telephony, videoconferencing, and interactive protocols that must have a short response time, such as Telnet.

  Click the Delay Sensitive Services link to see the default services included and add new ones or remove existing if necessary. QoS tries to send these packets before other packets. This option adds a rule to the QoS Policy Rule Base.

• Guarantee X% of the bandwidth to VPN/all traffic on all services - Select this option to guarantee a minimum bandwidth for the specified traffic on all services or selected services.

  Enter the bandwidth percentage, change the type of traffic if needed, and if necessary click the all services link to edit a list of selected guaranteed services. This option adds a rule to the QoS Policy Rule Base.

• Limit Bandwidth Consuming Applications - Applications that use a lot of bandwidth can decrease performance necessary for important business applications.

  Click the Bandwidth Consuming Applications link to see the default applications/categories included and add new ones or remove existing if necessary.

  Select the Limit Bandwidth Consuming Applications checkbox and select Download and/or Upload to determine where the limit is enforced and the maximum bandwidth in each of the selected options. Bandwidth consuming applications control can also be configured in the Access Policy > Firewall Blade Control and Policy pages.

To add a guaranteed service to the default policy:

1. Select the Guarantee X% of the bandwidth to X traffic on all/selected services option and click the services link.

   The Edit guaranteed services window opens.

2. Select Selected services.
3. Click Select to show the full list of available services and select the relevant checkboxes.
4. Click New if the existing list does not contain the service you need. For information on creating a new service, see the Users & Objects > Services page.
5. Click Apply.

QoS Policy

In the Access Policy > QoS Policy page you can manage the QoS default policy and add manual rules if necessary.

The top of the page shows information about these limits:

• Bandwidth Consuming Applications - If you set download and upload rates in the Access Policy > QoS Blade Control page or Access Policy > Firewall Blade Control page. If you see the disabled link, click it to configure the rates here.
• Low latency traffic - Shows the maximum percentage of bandwidth that can be reserved for low latency traffic. If you do not set a maximum percentage, traffic that does not require low latency might be starved (might not be handled at all). To change the value, click the percentage link.

You can view the QoS Policy Rule Base on this page. For each rule, you see these fields:

Rule Base Field	Description
No.	Rule number in the QoS policy.
Source	Network object that starts the connection.
Destination	Network object that completes the connection.
Service	Type of network service for which bandwidth is adjusted based on weight, limit, and guarantee.
Guarantee/Limit	Lets you set a percentage that limits the bandwidth rate of traffic and/or guarantees the minimum bandwidth for traffic. Another option is to mark the traffic as low latency. This guarantees that it is prioritized accordingly.
Weight	The unit used to divide available bandwidth when traffic exceeds the maximum bandwidth configured for the Internet connection. See below.
Track	The tracking and logging action that is done when traffic matches the rule.
Comment	An optional field that shows a comment if you entered one. For system generated rules of the default policy a Note is shown.

Weight

QoS divides available bandwidth across the QoS policy rules based on weight. The use of weights instead of specified percentages is a flexible way for the QoS engine to allocate bandwidth if the maximum bandwidth is exceeded based on the specified traffic at that point. This maximizes the usage of the bandwidth.

For example, in an organization, Web traffic is deemed three times as important as FTP traffic. Rules with these services are assigned weights of 30 and 10 respectively. If the lines are congested, QoS keeps the ratio of bandwidth allocated to Web traffic and FTP traffic at 3 to 1.

You can set options for the default policy or you can manually define rules for the QoS policy. If a rule does not use all of its bandwidth, the leftover bandwidth is divided with the remaining rules, based on their relative weights. In the above example, if only one Web and one FTP connection are active and they compete, the Web connection receives 75% (30/40) of the leftover bandwidth, and the FTP connection receives 25% (10/40) of the leftover bandwidth. If the Web connection closes, the FTP connection receives 100% of the bandwidth.

In the Weight field, enter a value that shows the services importance relative to other defined services. For example, if you enter a weight of 100 for a service and set 50 for a different service, the first service is allocated two times the amount of bandwidth as the second when lines are congested.

To create a QoS rule:

1. Click the arrow next to New.
2. Click one of the available positioning options for the rule: On Top, On Bottom, Above Selected, or Under Selected.

   The Add Rule window opens. It shows the rule fields in two manners:

   • A rule summary sentence with default values.
   • A table with the rule base fields in a table.
3. Click the links in the rule summary or the table cells to select network objects or options that fill out the rule base fields. See the descriptions above.

   Note - You can select for a specified rule to have a specified guarantee and/or limit or be marked as low latency traffic. In case of the latter, there is a single maximum limit percentage for ALL low latency traffic which can be configured globally. See above.

4. To match only for encrypted (VPN) traffic, select Match only for encrypted traffic. The Service column shows "encrypted" if selected.
5. To limit the rule to a specified time range, select Apply only during this time and select the start and end times. Only connections that begin during this time range are inspected.
6. DiffServ Mark is a way to mark connections so a third party handles it. To mark packets that are given priority on the public network based on their DSCP, select DiffServ Mark (1-63) and select a value. To use this option, your ISP or private WAN must support DiffServ. You can get the DSCP value from your ISP or private WAN administrator.
7. In the Write a comment field, enter optional text that describes the rule. This is shown as a comment below the rule.
8. Click Apply.

Note - You can drag and drop rules to change the order of rules in the QoS Rule Base.

To edit a rule:

Note - For Access Policy rules, you can only edit the tracking options for automatically generated rules.

1. Select a rule and click Edit.
2. Edit the fields as necessary.
3. Click Apply.

To delete a rule:

1. Select a rule and click Delete.
2. Click Yes in the confirmation message.

To enable or disable a rule:

• To disable a manually defined rule that you have added to the Rule Base, select the rule and click Disable.
• To enable a manually defined rule that you have previously disabled, select the rule and click Enable.

To change the rule order:

1. Select the rule to move.
2. Drag and drop it to the necessary position.

   Note - You can only change the order of manually defined rules.

SSL Inspection Policy

SSL Inspection

The Access Policy > SSL Inspection Policy page lets you enable and configure SSL inspection. When you turn on this setting, you allow different Software Blades that support SSL inspection to inspect traffic that is encrypted by the Secure Sockets Layer (SSL) protocol. To allow the gateway to inspect the secured connections, all hosts behind the gateway must install the gateway CA certificate.

Software Blades that support SSL traffic inspection:

• Application & URL Filtering
• IPS
• Anti-Virus
• Anti-Bot
• Threat Emulation

Deploying SSL Inspection

To deploy SSL inspection:

1. Select SSL Traffic Inspection.
2. Click Download CA Certificate to download the gateway’s internal CA certificate.

   Note - The certificate is available for all users on the gateway. You do not need admin credentials. If you do not have admin credentials, connect from an internal or wireless network to http://my.filewall/ica or https://Firewall_IP/ica.

   You must install this certificate on every client behind the gateway.

To install the certificate:

1. Manually copy the certificate file to your PC.
2. In the Windows PC, click the file and follow the wizard instructions to add the certificate to the Trusted Root Certification Authorities repository.

   Note - This is not the default repository in the Certificate Import Wizard.

   Certificate installation varies according to the OS. To learn how to install the certificate in your machine, see your OS vendor instructions.

SSL inspection uses the existing internal CA by default. To use your own certificate, you must replace the internal CA.

To replace the internal CA:

1. Go to Certificates > Internal Certificate.
2. Click Replace Internal CA.

   The Upload a P12 Certificate window opens.

3. Click Browse to select the certificate file.
4. Enter the Certificate name and Password.
5. Normally, the device suggests its own host name (when DDNS is configured) or its external IP address. If you have multiple Internet connections configured, in load sharing mode, you can manually enter an accessible IP address for this appliance. This is used by remote sites to access the internal CA and check for certificate revocation.
6. Click Apply.

SSL Inspection Bypass Policy

You can select categories that are bypassed for all possible traffic regardless of its source and destination. To configure more advanced exceptions, go to the SSL Inspection Exceptions page.

To set the SSL inspection bypass policy:

• Wireless networks to bypass - Select or clear which wireless networks to bypass. Untrusted networks are selected by default.

  Note - Wireless networks must be assigned to Separate Network, not switch or bridge.

• Categories - Select or clear the privacy related categories that are not inspected. All categories except for Media Streams are selected by default.
• Tracking - Select to enable logs to indicate that the SSL inspection policy decision was inspect or bypass.

  Note - These logs are generated in addition to the logs generated by the Software Blades.

To add other categories:

Note - The Bypass checkbox is selected by default.

1. Click other categories and sites.

   The SSL Inspection Bypass Other window opens.

2. Select the desired items.
3. Optional - Click New to add URLs or custom applications.
4. Click Apply.

HTTPS Categorization

As an alternative to SSL inspection, you can enable HTTPS categorization. HTTPS categorization allows filtering specified HTTPS URLs and applications without activating SSL traffic inspection.

For more information, see the HTTPS Inspection video on the Small Business Security video channel.

To enable HTTPS categorization:

1. Select HTTPS Categorization.

   Note - When you enable HTTPS categorization, the SSL options are not available.

2. Click Configure.

   The Access Policy > Firewall Blade Control page opens.

3. Configure the settings for URL filtering.

   Note - HTTPS categorization only applies when the URL Filtering blade is turned on.

To disable SSL inspection and HTTPS categorization:

Select Off.

SSL Inspection Exceptions

On the SSL Inspection Exceptions page, you can define manual rules to configure exceptions to bypass SSL inspection for specific traffic. You can configure more advanced exceptions with specific scope, category, and tracking options.

To add bypass exceptions:

1. Click New.
2. For each exception, enter:
   • Source
   • Destination
   • Category/Custom Application
   • Track

SSL Inspection Advanced

To enable SSL web traffic inspection, you must first establish trust between the clients and the gateway.

An important part of the HTTPS inspection support is the validation of the server's certificate. This requires validating the signing CA of the server certificates.

On the SSL Inspection Advanced page, you can manage trusted certificate authorities. The gateway has a built-in predefined list of trusted CAs, based on the Mozilla/LibCurl Trusted CA list. Only a server certificate signed by one of those CAs is recognized as a valid certificate. The table shows the list of trusted CAs.

Trusted CA types:

• Default from the gateway - These CAs can be disabled but not deleted.
• Added by user - These CAs can be deleted.

To manually add a CA to the trusted CA list:

1. Click Add.

   The Add a Trusted CA window opens.

2. Click Browse to select a trusted CA file.
3. Optional - Click Preview to view the CA.
4. Click Apply.

To delete a trusted CA:

1. Click the icon next to the CA.
2. Click Delete.

   Note - You can only delete a CA that was added by a user.

To disable/enable a trusted CA:

1. Click the icon next to the CA.
2. Click Disable/Enable.