Getting Started

In This Section: Application Control and URL Filtering Licensing and Contracts SmartDashboard Toolbar Enabling Application Control on a Security Gateway Enabling URL Filtering on a Security Gateway Creating an Application Control and URL Filtering Policy

Application Control can be enabled on R75 or higher gateways and URL Filtering can be enabled on R75.20 or higher gateways.

Application Control and URL Filtering Licensing and Contracts

Make sure that each Security Gateway has a Security Gateway license and an Application Control contract and/or URL Filtering contract. For clusters, make sure you have a contract and license for each cluster member.

New installations and upgraded installations automatically receive a 30 day trial license and updates. Contact your Check Point representative to get full licenses and contracts.

If you do not have a valid contract for a Security Gateway, the Application Control blade and/or URL Filtering blade is disabled. When contracts are about to expire or have already expired, you will see warnings. Warnings show in:

• The Message and Action Items section of the Overview pane of the Application and URL Filtering tab.
• The Check Point User Center when you log in to your account.

SmartDashboard Toolbar

You can use the SmartDashboard toolbar to do these actions:

Icon	Description
	Open the SmartDashboard menu. When instructed to select menu options, click this button to show the menu. For example, if you are instructed to select Manage > Users and Administrators, click this button to open the Manage menu and then select the Users and Administrators option.
	Save current policy and all system objects.
	Open a policy package, which is a collection of Policies saved together with the same name.
	Refresh policy from the Security Management Server.
	Open the Database Revision Control window.
	Change global properties.
	Verify Rule Base consistency.
	Install the policy on Security Gateways or VSX Gateways.
	Open SmartConsole.

Enabling Application Control on a Security Gateway

Enable the Application Control Software Blade on each Security Gateway.

To enable the Application Control Software Blade on a Security Gateway:

1. In SmartDashboard, right-click the Security Gateway object and select Edit.

   The Gateway Properties window opens.

2. In General Properties > Network Security tab, select Application Control.
3. Click OK.
4. Install the Policy.

After you enable Application Control, you can see logs that relate to application traffic in SmartView Tracker and SmartEvent. These logs show how applications are used in your environment and help you create an effective Rule Base.

Enabling URL Filtering on a Security Gateway

Before you enable the URL Filtering Software Blade, make sure a DNS has been configured in the environment. If you have a proxy server in your network, make sure it is defined on the Security Gateway or in the management environment.

To enable the URL Filtering Software Blade on a gateway:

1. In SmartDashboard, right-click the Security Gateway object and select Edit.

   The Gateway Properties window opens.

2. In General Properties > Network Security tab, select URL Filtering.
3. Click OK.
4. Install the Policy.

Creating an Application Control and URL Filtering Policy

Create and manage the Policy for Application Control and URL Filtering in the Application and URL Filtering tab of SmartDashboard. The Policy defines which users can use specified applications and sites from within your organization and what application and site usage is recorded in the logs.

• The Overview pane gives an overview of your Policy and traffic.
• The Policy pane contains your Rule Base, which is the primary component of your Application Control and URL Filtering Policy. Click the Add Rule buttons to get started.

• Look through the AppWiki to learn which applications and categories have high risk levels. Find ideas of applications and categories to include in your Policy.

Monitoring Applications

Scenario: I want to monitor all Facebook traffic in my organization. How can I do this?

To monitor all Facebook application traffic:

1. In the Application and URL Filtering tab of SmartDashboard, open the Policy page.
2. Click one of the Add Rule toolbar buttons to add the rule in the position that you choose in the Rule Base. The first rule matched is applied.
3. Make a rule that includes these components:
   • Name - Give the rule a name such as Monitor Facebook.
   • Source - Keep it as Any so that it applies to all traffic from the organization.
   • Destination - Keep it as Internet so that it applies to all traffic going to the internet or DMZ.
   • Applications/Sites - Click the plus sign to open the Application viewer. Add the Facebook application to the rule:
     • Start to type "face" in the Search field. In the Available list, see the Facebook application.
     • Click an item to see more details in the description pane.
     • Select items to add to the rule.
   • Action - Keep it as Allow.
   • Track - Keep it as Log.
   • Install On - Keep it as All or choose Security Gateways on which to install the rule.

The rule allows all Facebook traffic but logs it. You can see the log data in SmartView Tracker and SmartEvent to monitor how people use Facebook in your organization.

Blocking Applications

Scenario: I want to block pornographic sites in my organization. How can I do this?

To block an application or category of applications, such as pornography, in your organization:

1. In the Application and URL Filtering tab of SmartDashboard, open the Policy pane.
2. Click one of the Add Rule toolbar buttons to add the rule in the position that you choose in the Rule Base. The first rule matched is applied.
3. Create a rule that includes these components:
   • Applications/Sites - Select the Pornography category.
   • Action - Block, and optionally, a UserCheck Blocked Message. The message informs users that their actions are against company policy and can include a link to report if the website is included in an incorrect category.
   • Track - Log

Note: This Rule Base example contains only those columns that are applicable to this subject.

Name	Source	Destination	Applications/ Sites	Action	Track	Install On
Block Porn	Any	Internet	Pornography	Block Blocked Message	Log	All

The rule blocks traffic to pornographic sites and logs attempts access sites that are in the pornography category. Users who violate the rule receive a customizable UserCheck message that informs them that the application is blocked according to company security policy. The message can include a link to report if the website is included in an incorrect category.

Important - A rule that blocks traffic, with the Source and Destination parameters defined as Any, also blocks traffic to and from the Captive Portal.

Limiting Application Traffic

Scenario: I want to limit my employees' access to streaming media so that it does not impede business tasks.

If you do not want to block an application or category, there are two ways to set limits for employee access:

• Add a Limit object to a rule to limit the bandwidth that is permitted for the rule.
• Add one or more Time objects to a rule to make it active only during specified times.

The example rule below:

• Allows access to streaming media during non-peak business hours only.
• Limits the upload and download throughput for streaming media in the company to 1 Gbps.

To create a rule that allows streaming media with time and bandwidth limits:

1. In the Application and URL Filtering tab of SmartDashboard, open the Policy pane.
2. Click one of the Add Rule toolbar buttons to add the rule in the position that you choose in the Rule Base. The first rule matched is applied.
3. Make a rule that includes these components:
   • Applications/Sites - Media Streams category.
   • Action - Allow, and a Limit object that specifies the maximum upload and download throughput.
   • Time - Add a Time object that specifies the hours or time period in which the rule is active.

Name		Source	Destination	Applications/Sites	Action	Track	Install On	Time
Limit Streaming Media		Any	Internet	Media Streams	Allow Upload_1Gbps Up: 1 Gbps	Log	All	Non-peak
	Note - In a cluster environment, the specified bandwidth limit is divided between all defined cluster members, whether active or not. For example, if a rule sets 1Gbps limit in a three member cluster, each member has a fixed limit of 333Mbps.

Using Identity Awareness Features in Rules

Scenario: I want to allow a Remote Access application for a specified group of users and block the same application for other users. I also want to block other Remote Access applications for everyone. How can I do this?

If you enable Identity Awareness on a Security Gateway, you can use it together with Application Control to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object.

In this example:

• You have already created an Access Role that represents all identified users in the organization. You can use this to allow access to applications only for users who are identified on the Security Gateway.
• You want to allow access to the Radmin Remote Access tool for all identified users.
• You want to block all other Remote Access tools for everyone within your organization. You also want to block any other application that can establish remote connections or remote control.

To do this, add two new rules to the Rule Base:

1. Create a rule and include these components:
   • Source - The Identified_Users access role
   • Destination - Internet
   • Applications/Sites - Radmin
   • Action - Allow
2. Create a rule below the rule from step 1. Include these components:
   • Source - Any
   • Destination - Internet
   • Applications/Sites - The category: Remote Administration Tool
   • Action - Block

Name	Source	Destination	Applications/Sites	Action	Track	Install On
Allow Radmin to Identified Users	Identified_users	Internet	Radmin	Allow	None	All
Block other Remote Admin	Any	Internet	Remote Administration Tool	Block	Log	All

Notes on these rules:

• Because the rule that allows Radmin is above the rule that blocks other Remote Administration tools, it is matched first.
• The Source of the first rule is the Identified Users access role. If you use an access role that represents the Technical Support department, then only users from the technical support department are allowed to use Radmin.

For more about Access Roles and Identity Awareness, see the R77 Identity Awareness Administration Guide.

Blocking Sites

Scenario: I want to block sites that are associated with categories that can cause liability issues. Most of these categories exist in the Application and URL Filtering Database but there is also a custom defined site that must be included. How can I do this?

You can do this by creating a custom group and adding all applicable categories and the site to it. If you enable Identity Awareness on a Security Gateway, you can use it together with URL Filtering to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object.

In this example:

• You have already created an Access Role that represents all identified users in the organization.
• You want to block sites that can cause liability issues for everyone within your organization.
• You will create a custom group that includes Application and URL Filtering Database categories as well as a previously defined custom site named Smirnoff.

To create a custom group:

1. In the Application and URL Filtering tab of SmartDashboard, open the Applications/Sites pane.
2. Click New > Applications/Sites Group.
3. Give the group a name. For example, Liability_Sites.
4. Add the group members:
   • Filter by Categories (make sure only the Categories button is selected) and select the checkboxes of all the related categories in the Application and URL Filtering Database.
   • Filter by Custom (click the Categories button to clear it and select Custom) and select the custom application.
5. Click OK.

   The categories and custom site are in the group members list.

6. Click OK.

   The group is added to the Applications/Sites list. You can use it in the Rule Base.

In the Rule Base, add a rule similar to this:

• Source - The Identified_Users access role
• Destination - Internet
• Applications/Sites - Liability_Sites
• Action - Block

Name	Source	Destination	Applications/ Sites	Action	Track
Block sites that may cause a liability	Identified_Users	Internet	Liability_Sites	Block	Log

Blocking URL Categories

Scenario: I want to block pornographic sites. How can I do this?

You can do this by creating a rule that blocks all sites with pornographic material with the Pornography category. If you enable Identity Awareness on a Security Gateway, you can use it together with URL Filtering to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object.

In this example:

• You have already created an Access Role that represents all identified users in the organization.
• You want to block sites related to pornography.

In the Rule Base, add a rule similar to this:

• Source - The Identified_Users access role
• Destination - Internet
• Applications/Sites - Pornography category
• Action - Block