Getting Started with URL Filtering

In This Section: Application Control and URL Filtering Contracts Enabling Application and URL Filtering on a Security Gateway Enabling Application and URL Filtering in the Access Control Policy Monitoring Application and URL Filtering Creating an Application Control and URL Filtering Policy

The information here applies to the second Policy Layer, which is Application and URL Filtering.

Application Control and URL Filtering Contracts

You must have a contract for Application Control and URL Filtering for each Security Gateway on which these blades are enabled. This is in addition to the Security Gateway license. For clusters, make sure you have a contract and license for each cluster member.

New installations and upgraded installations include a 30 day trial license and contract. Contact your Check Point representative to get full licenses and contracts.

If you do not have a valid contract for a Security Gateway, the Application Control blade and the URL Filtering blade are disabled. When contracts are about to expire or are already expired, warnings show in:

• The Audit tab of the Logs & Monitor view.
• The Check Point User Center, when you log in to your account.

Enabling Application and URL Filtering on a Security Gateway

You can enable the Application Control Software Blade, the URL Filtering Software Blade,or both of them, on each Security Gateway.

Note - For Application and URL Filtering to work properly, you must also enable Application and URL Filtering in the Access Control Policy.

To enable Application and URL Filtering on a Security Gateway:

1. In R80 SmartConsole go to the Gateways & Servers view.
2. Double-click a Security Gateway object.

   The Gateway Properties window opens.

3. Select General Properties.
4. In the Network Security tab, select Application Control or URL Filtering, or both, as necessary.
5. Click OK.
6. Install the Policy.

To see which Security Gateways enforce Application and URL Filtering:

1. In the Gateways & Servers view of R80 SmartConsole, look at the Active Blades column.
2. Look for the Gateways with these Software Blades enabled:
   • Application Control
   • URL Filtering

Enabling Application and URL Filtering in the Access Control Policy

After upgrading a Security Management Server from R77.x to R80, the Firewall Policy and the Application and URL Filtering Policy are converted to these Policy Layers:

• Network - Firewall Software Blade is enabled
• Application - Firewall and Application and URL Filtering Software Blades are enabled

For the Application Control Policy Layer to work, make sure that both - Firewall and Application and URL Filtering Software Blades are enabled in it.

To enable Application and URL Filtering in the Access Control Policy:

1. In R80 SmartConsole go to the Security Policies view.
2. In the Access Control section, right-click Policy and select Edit Layer.

   The Policy window opens.

3. Make sure that Access Control Policy Type is selected.
4. In the Access Control Policy section, double-click Policy Layer.
5. In the window that opens, select Applications & URL Filtering.
6. Click OK.
7. Click OK.
8. Install the Policy.

Monitoring Application and URL Filtering

To see logs for Application and URL Filtering:

1. In R80 SmartConsole, go to the Logs & Monitor view.
2. Click the Favorites icon .
3. Select Access > By Blade > Application Control or Access > By Blade > URL Filtering.

The logs show how applications are used in your environment and help you create effective Rule Bases.

Creating an Application Control and URL Filtering Policy

Create and manage the Policy for Application Control and URL Filtering in the Access Control Policy, in the Security Policies view of R80 SmartConsole. The Access Control Policy defines which users can use specified applications and sites from within your organization and what application and site usage is recorded in the logs.

• The Policy pane contains the Rule Base, which is the primary component of your Application Control and URL Filtering Policy. Click one of the Add rule buttons to get started.
• To learn which applications and categories have a high risk, look through the AppWiki in the Access Tools part of the Security Policies view. Find ideas of applications and categories to include in your Policy.
• To see an overview of your Access Control Policy and traffic, see Access tab of the Logs & Monitor view. (SmartEvent license required.)

Monitoring Applications

Scenario: I want to monitor all Facebook traffic in my organization. How can I do this?

To monitor all Facebook application traffic:

1. In the Security Policies view of R80 SmartConsole, go to the Access Control Policy.
2. Choose the Application Control Layer.
3. Click one of the Add rule toolbar buttons to add the rule in the position that you choose in the Rule Base. The first rule matched is applied.
4. Create a rule that includes these components:
   • Name - Give the rule a name, such as Monitor Facebook.
   • Source - Keep it as Any so that it applies to all traffic from the organization.
   • Destination - Keep it as Internet so that it applies to all traffic going to the internet or DMZ.
   • Services & Applications - Click the plus sign to open the Application viewer. Add the Facebook application to the rule:
     • Start to type "face" in the Search field. In the Available list, see the Facebook application.

     

     • Click each item to see more details in the description pane.
     • Select the items to add to the rule.

     Note - Applications are matched on their Recommended services, where each service runs on a specific port, such as the default Application Control Web browsing services: http, https, HTTP_proxy, and HTTPS_proxy. To change this see Changing Services for Applications and Categories.

   • Action - Select Accept
   • Track - Select Log
   • Install On - Keep it as Policy Targets for or all gateways, or choose specific Security Gateways on which to install the rule

The rule allows all Facebook traffic but logs it. You can see the log data in the Logs & Monitor view, in the Logs tab. To monitor how people use Facebook in your organization, see the Access Control tab (SmartEvent Server required).

Blocking Applications

Scenario: I want to block YouTube in my organization. How can I do this?

To block an application or category of applications, such as YouTube, in your organization:

1. In the Security Policies view of R80 SmartConsole, go to the Access Control Policy.
2. Choose the Application Control Layer.
3. Click one of the Add Rule toolbar buttons to add the rule in the position that you choose in the Rule Base.
4. Create a rule that includes these components:
   • Services & Applications - Select the YouTube category.

     Note - Applications are matched on their Recommended services, where each service runs on a specific port, such as the default Application Control Web browsing services: http, https, HTTP_proxy, and HTTPS_proxy. To change this see Changing Services for Applications and Categories.

   • Action - Drop, and optionally, a UserCheck Blocked Message - Access Control

     The message informs users that their actions are against company policy and can include a link to report if the website is included in an incorrect category.

   • Track - Log

Note: This Rule Base example contains only those columns that are applicable to this subject.

Name	Source	Destination	Services & Applications	Action	Track	Install On
Block Porn	Any	Internet	YouTube	Drop Blocked Message	Log	Policy Targets

The rule blocks traffic to YouTube and logs attempts to access sites that are in the pornography category. Users who violate the rule receive a UserCheck message that informs them that the application is blocked according to company security policy. The message can include a link to report if the website is included in an incorrect category.

Important - A rule that blocks traffic, with the Source and Destination parameters defined as Any, also blocks traffic to and from the Captive Portal.

Limiting Application Traffic

Scenario: I want to limit my employees' access to streaming media so that it does not impede business tasks.

If you do not want to block an application or category, there are different ways to set limits for employee access:

• Add a Limit object to a rule to limit the bandwidth that is permitted for the rule.
• Add one or more Time objects to a rule to make it active only during specified times.

The example rule below:

• Allows access to streaming media during non-peak business hours only.
• Limits the upload and download throughput for streaming media in the company to 1 Gbps.

To create a rule that allows streaming media with time and bandwidth limits:

1. In the Security Policies view of R80 SmartConsole, go to the Access Control Policy.
2. Choose the Application Control Layer.
3. Click one of the Add Rule toolbar buttons to add the rule in the position that you choose in the Rule Base.
4. Create a rule that includes these components:
   • Services & Applications - Media Streams category.

     Note - Applications are matched on their Recommended services, where each service runs on a specific port, such as the default Application Control Web browsing services: http, https, HTTP_proxy, and HTTPS_proxy. To change this see Changing Services for Applications and Categories.

   • Time - Add a Time object that specifies the hours or time period in which the rule is active.

     Note - The Time column is not shown by default in the Rule Base table. To see it, right-click on the table header and select Time.

Name		Source	Destination	Services and Applications	Action	Track	Install On	Time
Limit Streaming Media		Any	Internet	Media Streams	Allow Upload_1Gbps	Log	All	Off-Work
	Note - In a cluster environment, the specified bandwidth limit is divided between all defined cluster members, whether active or not. For example, if a rule sets 1Gbps limit in a three member cluster, each member has a fixed limit of 333 Mbps.

Using Identity Awareness Features in Rules

Scenario: I want to allow a Remote Access application for a specified group of users and block the same application for other users. I also want to block other Remote Access applications for everyone. How can I do this?

If you enable Identity Awareness on a Security Gateway, you can use it together with Application Control to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object.

In this example:

• You have already created an Access Role Identified_Users that represents all identified users in the organization. You can use this to allow access to applications only for users who are identified on the Security Gateway.
• You want to allow access to the Radmin Remote Access tool for all identified users.
• You want to block all other Remote Access tools for everyone within your organization. You also want to block any other application that can establish remote connections or remote control.

To do this, add two new rules to the Rule Base:

1. Create a rule and include these components:
   • Source - The Identified_Users access role
   • Destination - Internet
   • Services & Applications - Radmin
   • Action - Accept
2. Create another rule below and include these components:
   • Source - Any
   • Destination - Internet
   • Services & Applications - The category: Remote Administration
   • Action - Block

Name	Source	Destination	Services & Applications	Action	Track	Install On
Allow Radmin to Identified Users	Identified_Users	Internet	Radmin	Allow	Log	All
Block other Remote Admins	Any	Internet	Remote Administration	Block	Log	All

Notes on these rules:

• Because the rule that allows Radmin is above the rule that blocks other Remote Administration tools, it is matched first.
• The Source of the first rule is the Identified_Users access role. If you use an access role that represents the Technical Support department, then only users from the technical support department are allowed to use Radmin.
• Applications are matched on their Recommended services, where each service runs on a specific port, such as the default Application Control Web browsing services: http, https, HTTP_proxy, and HTTPS_proxy. To change this see Changing Services for Applications and Categories.

Blocking Sites

Scenario: I want to block sites that are associated with categories that can cause liability issues. Most of these categories exist in the Application and URL Filtering Database but there is also a custom defined site that must be included. How can I do this?

You can do this by creating a custom group and adding all applicable categories and the site to it. If you enable Identity Awareness on a Security Gateway, you can use it together with URL Filtering to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object.

In this example:

• You have already created
  • An Access Role that represents all identified users in the organization.
  • A custom application for a site named FreeMovies.
• You want to block sites that can cause liability issues for everyone within your organization.
• You will create a custom group that includes Application and URL Filtering Database categories as well as the previously defined custom site named FreeMovies.

To create a custom group:

1. In the Object Explorer, click New > More > Custom Application/Site > Application/Site Group.
2. Give the group a name. For example, Liability_Sites.
3. Click + to add the group members:
   • Search for and add the custom application FreeMovies.

   You can now use the group in the Access Control Rule Base.

4. Click Close

In the Rule Base, add a rule similar to this:

In the Security Policies view of R80 SmartConsole, go to the Access Control Policy.

• Source - The Identified_Users access role
• Destination - Internet
• Services & Applications - Liability_Sites
• Action - Drop

  Note - Applications are matched on their Recommended services, where each service runs on a specific port, such as the default Application Control Web browsing services: http, https, HTTP_proxy, and HTTPS_proxy. To change this see Changing Services for Applications and Categories.

Name	Source	Destination	Services & Applications	Action	Track
Block sites that may cause a liability	Identified_Users	Internet	Liability_Sites	Drop	Log

Blocking URL Categories

Scenario: I want to block pornographic sites. How can I do this?

You can do this by creating a rule that blocks all sites with pornographic material with the Pornography category. If you enable Identity Awareness on a Security Gateway, you can use it together with URL Filtering to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object.

In this example:

• You have already created an Access Role that represents all identified users in the organization.
• You want to block sites related to pornography.

In the Rule Base, add a rule similar to this:

• Source - The Identified_Users access role
• Destination - Internet
• Services & Applications - Pornography category
• Action - Drop

  Note - Categories are matched on their Recommended services, where each service runs on a specific port, such as the default Application Control Web browsing services: http, https, HTTP_proxy, and HTTPS_proxy. To change this see Changing Services for Applications and Categories.

Changed Behavior with R80 Management

After an upgrade to R80 management, all applications and categories use the recommended services. To change this see Changing Services for Applications and Categories.