In This Section: |
Application Control can be enabled on R75 or higher gateways and URL Filtering can be enabled on R75.20 or higher gateways.
Make sure that each Security Gateway has a Security Gateway license and an Application Control contract and/or URL Filtering contract. For clusters, make sure you have a contract and license for each cluster member.
New installations and upgraded installations automatically receive a 30 day trial license and updates. Contact your Check Point representative to get full licenses and contracts.
If you do not have a valid contract for a Security Gateway, the Application Control blade and/or URL Filtering blade is disabled. When contracts are about to expire or have already expired, you will see warnings. Warnings show in:
You can use the SmartDashboard toolbar to do these actions:
Icon |
Description |
---|---|
Open the SmartDashboard menu. When instructed to select menu options, click this button to show the menu. For example, if you are instructed to select Manage > Users and Administrators, click this button to open the Manage menu and then select the Users and Administrators option. |
|
Save current policy and all system objects. |
|
Open a policy package, which is a collection of Policies saved together with the same name. |
|
Refresh policy from the Security Management Server. |
|
Open the Database Revision Control window. |
|
Change global properties. |
|
Verify Rule Base consistency. |
|
Install the policy on Security Gateways or VSX Gateways. |
|
Open SmartConsole. |
Enable the Application Control Software Blade on each Security Gateway.
To enable the Application Control Software Blade on a Security Gateway:
The Gateway Properties window opens.
After you enable Application Control, you can see logs that relate to application traffic in SmartView Tracker and SmartEvent. These logs show how applications are used in your environment and help you create an effective Rule Base.
Before you enable the URL Filtering Software Blade, make sure a DNS has been configured in the environment. If you have a proxy server in your network, make sure it is defined on the Security Gateway or in the management environment.
To enable the URL Filtering Software Blade on a gateway:
The Gateway Properties window opens.
Create and manage the Policy for Application Control and URL Filtering in the Application and URL Filtering tab of SmartDashboard. The Policy defines which users can use specified applications and sites from within your organization and what application and site usage is recorded in the logs.
Scenario: I want to monitor all Facebook traffic in my organization. How can I do this?
To monitor all Facebook application traffic:
The rule allows all Facebook traffic but logs it. You can see the log data in SmartView Tracker and SmartEvent to monitor how people use Facebook in your organization.
Scenario: I want to block pornographic sites in my organization. How can I do this?
To block an application or category of applications, such as pornography, in your organization:
Note: This Rule Base example contains only those columns that are applicable to this subject.
Name |
Source |
Destination |
Applications/ |
Action |
Track |
Install On |
---|---|---|---|---|---|---|
Block Porn |
Any |
Internet |
Pornography |
Block |
Log |
All |
The rule blocks traffic to pornographic sites and logs attempts access sites that are in the pornography category. Users who violate the rule receive a customizable UserCheck message that informs them that the application is blocked according to company security policy. The message can include a link to report if the website is included in an incorrect category.
Important - A rule that blocks traffic, with the Source and Destination parameters defined as Any, also blocks traffic to and from the Captive Portal. |
Scenario: I want to limit my employees' access to streaming media so that it does not impede business tasks.
If you do not want to block an application or category, there are two ways to set limits for employee access:
The example rule below:
To create a rule that allows streaming media with time and bandwidth limits:
Name |
Source |
Destination |
Applications/Sites |
Action |
Track |
Install On |
Time |
|
---|---|---|---|---|---|---|---|---|
Limit Streaming Media |
Any |
Internet |
Media Streams |
Allow |
Log |
All |
Non-peak |
|
Note - In a cluster environment, the specified bandwidth limit is divided between all defined cluster members, whether active or not. For example, if a rule sets 1Gbps limit in a three member cluster, each member has a fixed limit of 333Mbps. |
Scenario: I want to allow a Remote Access application for a specified group of users and block the same application for other users. I also want to block other Remote Access applications for everyone. How can I do this?
If you enable Identity Awareness on a Security Gateway, you can use it together with Application Control to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object.
In this example:
To do this, add two new rules to the Rule Base:
Name |
Source |
Destination |
Applications/Sites |
Action |
Track |
Install On |
---|---|---|---|---|---|---|
Allow Radmin to Identified Users |
Identified_users |
Internet |
Radmin |
Allow |
None |
All |
Block other Remote Admin |
Any |
Internet |
Remote Administration Tool |
Block |
Log |
All |
Notes on these rules:
For more about Access Roles and Identity Awareness, see the R77 Identity Awareness Administration Guide.
Scenario: I want to block sites that are associated with categories that can cause liability issues. Most of these categories exist in the Application and URL Filtering Database but there is also a custom defined site that must be included. How can I do this?
You can do this by creating a custom group and adding all applicable categories and the site to it. If you enable Identity Awareness on a Security Gateway, you can use it together with URL Filtering to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object.
In this example:
To create a custom group:
The categories and custom site are in the group members list.
The group is added to the Applications/Sites list. You can use it in the Rule Base.
In the Rule Base, add a rule similar to this:
Name |
Source |
Destination |
Applications/ |
Action |
Track |
---|---|---|---|---|---|
Block sites that may cause a liability |
Identified_Users |
Internet |
Liability_Sites |
Block |
Log |
Scenario: I want to block pornographic sites. How can I do this?
You can do this by creating a rule that blocks all sites with pornographic material with the Pornography category. If you enable Identity Awareness on a Security Gateway, you can use it together with URL Filtering to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object.
In this example:
In the Rule Base, add a rule similar to this: