Managing Application and URL Filtering

In This Section: Managing Pre-R80 Security Gateways The Columns of the Access Control Rule Base Types of Rules in the Rule Base Services & Applications Changing Services for Applications and Categories Overriding Categorization for a URL Log Sessions Tracking Options Time Adding a Limit Object to a Rule Enabling or Disabling Hit Count Configuring the Hit Count Display UserCheck Interaction Objects The Application and URL Filtering Database Application and URL Filtering Advanced Settings HTTPS Inspection Using Identity Awareness in the Rule Base Using Application and URL Filtering with VSX

You configure Application Control and URL Filtering in the Security Policies view, in the Access Control Policy of R80 SmartConsole.

See the logs in the Logs tab of the Logs & Monitor view.

See real-time traffic statistics and analysis in the Access Control tab of the Logs & Monitor view, and in the SmartEvent GUI.

This chapter explains the Application Control and URL Filtering configuration and management that you do in the Access Control Policy section of R80 SmartConsole.

Managing Pre-R80 Security Gateways

When you upgrade a pre-R80 Security Management Server that manages pre-R80 Security Gateways to R80, the existing Access Control policies are converted in this way:

• The pre-R80 Firewall policy is converted into the Network Policy Layer of the R80 Access Control Policy. The implicit cleanup rule for it is set to Drop all traffic that is not matched by any rule in this Layer.
• The pre-R80 Application & URL Filtering policy is converted into the Application Policy Layer, which is the second Layer of the R80 Access Control Policy. The implicit cleanup rule for it is set to Accept all traffic that is not matched by any rule in this Layer.

Important – After upgrade, do not change the Action of the implicit cleanup rules, or the order of the Policy Layers. If you do, the policy installation will fail.

New Access Control Policy for pre-R80 Security Gateways on an R80 Security Management Server must have this structure:

1. The first Policy Layer is the Network Layer (with the Firewall blade enabled on it).
2. The second Policy Layer is the Application and URL Filtering Layer (with the Application & URL Filtering blade enabled on it).
3. There are no other Policy Layers.

If the Access Control Policy has a different structure, the policy will fail to install.

You can change the names of the Layers, for example, to make them more descriptive.

Each new Policy Layer will have the explicit default rule, added automatically and set to Drop all the traffic that does not match any rule in that Policy Layer. We recommend that the Action is set to Drop for the Network Policy Layer and Accept for the Application Control Policy Layer.

If you remove the default rule, the Implicit Cleanup Rule will be enforced. The Implicit Cleanup Rule is configured in the Policy configuration window and is not visible in the Rule Base table. Make sure the Implicit Cleanup Rule is configured to Drop the unmatched traffic for the Network Policy Layer and to Accept the unmatched traffic for the Application Control Policy Layer.

The Columns of the Access Control Rule Base

These are the fields of the rules in the Access Control policy. Not all of these are shown by default. To select a field that does not show, right-click on the Rule Base table header, and select it.

Field	Description
No.	Rule number in the Rule Base Layer.
Hits	Number of connections that match this rule.
Name	Name that the system administrator gives this rule.
Source	Network object that defines where the traffic starts.
Destination	Network object that defines the destination of the traffic.
Services & Applications	Services, Applications, Categories, and Sites. If Application and URL Filtering is not enabled, only Services show.
Action	Action that is done when traffic matches the rule. Options include: Accept, Drop, Ask, Inform (UserCheck message), and Reject.
Track	Tracking and logging action that is done when traffic matches the rule.
Install On	Network objects that will get the rule(s) of the policy.
Time	Time period that this rule is enforced.
Comment	An optional field that lets you summarize the rule.

Types of Rules in the Rule Base

There are three types of rules in the Rule Base - explicit, implied and implicit.

Explicit rules

The rules that the administrator configures explicitly, to allow or to block traffic based on specified criteria.

Important - The Cleanup rule is a default explicit rule and is added with every new layer. You can change or delete the default Cleanup rule. We recommend that you have an explicit cleanup rule as the last rule in each layer.

Implied rules

The default rules that are available as part of the Global properties configuration and cannot be edited. You can only select the implied rules and configure their position in the Rule Base:

• First - Applied first, before all other rules in the Rule Base - explicit or implied
• Last - Applied last, after all other rules in the Rule Base - explicit or implied, but before the Implicit Cleanup Rule
• Before Last - Applied before the last explicit rule in the Rule Base

Implied rules are configured to allow connections for different services that the Security Gateway uses. For example, the Accept Control Connections rules allow packets that control these services:

• Installation of the security policy on a Security Gateway
• Sending logs from a Security Gateway to the Security Management Server
• Connecting to third party application servers, such as RADIUS and TACACS authentication servers

Implicit cleanup rule

The default "catch-all" rule that deals with traffic that does not match any explicit or implied rules in the Policy Layers. For R77.30 or earlier versions Security Gateways, the action of the implicit rule depends on the Policy Layer:

• Drop - for the Network Layer
• Accept - for the Application Control Layer

Note - If you change the default values, the policy installation will fail.

The implicit rules do not show in the Rule Base.

Services & Applications

In the Services & Applications column, define the Web applications, sites, services and protocols that are included in the rule. A rule can contain one or more:

• Applications
• Web sites
• Services
• Default categories of Internet traffic
• Custom groups or categories that you create, that are not included in the Check Point Application and URL Filtering Database.

Notes -

It is not supported to configure a service and application in the same rule.

Applications are matched on their Recommended services, where each service runs on a specific port. The recommended services for Facebook, for example, are the default Application Control Web browsing services: http, https, HTTP_proxy, and HTTPS_proxy. To change this see Changing Services for Applications and Categories.

To add an application or site to a rule:

1. In the Security Policies view of R80 SmartConsole, go to the Access Control Policy.
2. Select the Application Control Layer.
3. Right-click the Services & Applications cell for the rule and select Add New Items.

   The Application viewer window opens.

4. Search for the applications or categories.
5. Click the + next to the ones you want to add.

To create a new application or site:

1. In the Security Policies view of R80 SmartConsole, go to the Access Control Policy.
2. Select the Application Control Layer.
3. Right-click the Services & Applications cell for the rule and select Add New Items.

   The Application viewer window opens.

4. Click New > Custom Applications/Site > User Application.
5. Enter a name for the object.
6. Enter one or more URLs.

   If you used a regular expression in the URL, click URLs are defined as Regular Expressions.

   Note - If the application or site URL is defined as a regular expression you must use the correct syntax.

7. Click OK.

To create a custom category:

1. In the Security Policies view of R80 SmartConsole, go to the Access Control Policy.
2. Select the Application Control Layer.
3. Right-click the Services & Applications cell for the rule and select Add New Items.

   The Application viewer window opens.

4. Click New > Custom Applications/Site > User Category.
5. Enter a name for the object.
6. Enter a description for the object.
7. Click OK.

Changing Services for Applications and Categories

By default, applications and categories are matched on their recommended services.

To change the services that are matched for an application or category:

1. In the Application and URL Filtering Layer, double-click an application or category in a rule.
2. Select Match Settings.
3. Select an option:
   1. To add or remove services, select Customize and use the Application Viewer to add all services that are matched for this application in the Rule Base.
   2. To match the application with all services, select Any.
   3. To exclude specified services, select Negate and use the Application Viewer to select the services to exclude.
4. Click OK

The application or category is changed everywhere that it is used in the policy.

Overriding Categorization for a URL

To override categorization for a URL:

1. From the Objects tab of R80 SmartConsole, select New > More > Custom Application/Site > Override Categorization.

   The Override Categorization for URL window opens.

2. Enter a URL in the field. You do not need to include the prefix http:\\.
3. If the URL contains a regular expression, select URL is defined as a Regular Expression.
4. Select a Primary Category from the list.
5. Select a Risk from the list.
6. To add additional categories, click Add .
7. Select the categories and click OK.

   The selected categories are shown in the Additional Categories list.

8. Click OK.

Log Sessions

Application traffic generates a very large amount of activity. To make sure that the amount of logs is manageable, by default, logs are consolidated by session. A session is a period that starts when a user first accesses an application or site. During a session, the Security Gateway records one log for each application or site that a user accesses. All activity that the user does within the session is included in the log.

Tracking Options

• Network Log - Generates a log with only basic Firewall information: Source, Destination, Source Port, Destination Port, and Protocol.
• Log - Equivalent to the Network Log option, but also includes the application name (for example, Dropbox), and application information (for example, the URL of the Website). This is the default Tracking option.
• Full Log - Equivalent to the log option, but also records data for each URL request made.
  • If suppression is not selected, it generates a complete log (as defined in pre-R80 management).
  • If suppression is selected, it generates an extended log (as defined in pre-R80 management).
• None - Do not generate a log.

You can add these options to a Log, Full Log, or Network Log:

• Accounting - If selected, update the log every 10 minutes, to show how much data has passed in the connection: Upload bytes, Download bytes, and browse time.
• Suppression - If selected, one log is generated every three hours for all the connections.

Alert:

If an Alert is selected, Log is selected automatically.

• None - Do not generate an alert.
• Alert - Generate a log and run a command, such as: Show a popup window, send an email alert or an SNMP trap alert, or run a user-defined script as defined in the Menu > Global Properties > Log and Alert > Alerts.
• SNMP - Send an SNMP alert to the SNMP GUI, or run the script defined in: Menu > Global Properties > Log and Alert > Alerts.
• Mail - Send an email to the administrator, or run the mail alert script defined in: Menu > Global Properties > Log and Alert > Alerts.
• User Defined Alert - Send one of three possible customized alerts. The alerts are defined by the scripts specified in the Menu > Global Properties > Log and Alert > Alerts.

Time

You can add a Time object to a rule to make the rule active only during specified times. If you do not include a Time object in a rule, the rule is always active.

You can include one or more Time objects and Time Groups in a rule. A Time Group contains Time objects.

When you have multiple Time objects or a Time Group, each Time object works independently. For example, if a rule has two Time objects:

• One shows that the rule is active on Mondays.
• One shows that the rule is active from 9:00 - 17:00.

The rule is active each day from 9:00 - 17:00 and all day on Mondays. For the rule to be active from 9:00 - 17:00 on Mondays only, make one Time object that contains all of the criteria.

To add the Time Column to the Access Control Policy:

1. Right-click the heading row of the Access Control Policy.
2. Select Time.

To create a new Time object:

1. In the Time column of a rule, select Add New Items.
2. Click New and select Time.
3. Enter a Name without spaces.
4. Select one or more options:
   • Time Period - Select a Start and End date and time for the rule.
   • Hour Ranges - Select hours of the day when the rule is active.
   • Day Recurrence - Select days of the week or month when the rule is active. The default is Every Day.
5. Click OK.

To add Time objects to a rule:

1. In the Time column of a rule, select Add New Items.
2. Select from the available objects.

   Notes -

• The relevant time zone is that of the Security Gateway enforcing the rule. If Security Gateways are in different time zones, they enforce the same time object rules at different times.
• If a rule in a Policy Layer has the Time criteria specified, acceleration templates for rules that follow it in the same Policy Layer are disabled.

Adding a Limit Object to a Rule

To add a Limit object to a rule:

1. In the Access Control Rule Base, in an Application Control Layer rule that has the action Accept, Ask or Inform, select the Action cell.
2. Select More > Limit.
3. Select a limit.
4. Click OK.

The Limit is added to the rule.

Note - The Security Gateway implements the Limit action by dropping successive packets which exceed the allowed bandwidth.

Enabling or Disabling Hit Count

By default, Hit Count is globally enabled for all supported Security Gateways (from R75.40). The timeframe setting that defines the data collection time range is configured globally. If necessary, you can disable Hit Count for one or more Security Gateways.

After you enable or disable Hit Count you must install the Policy for the Security Gateway to start or stop collecting data.

To enable or disable Hit Count globally:

1. In R80 SmartConsole, click Menu > Global properties.
2. Select Hit Count from the tree.
3. Select the options:
   • Enable Hit Count - Select to enable or clear to disable all Security Gateways to monitor the number of connections each rule matches.
   • Keep Hit Count data up to - Select one of the time range options. The default is 6 months. Data is kept in the Security Management Server database for this period and is shown in the Hits column.
4. Click OK.
5. Install the Policy.

To enable or disable Hit Count on each Security Gateway:

1. From the Gateway Properties for the Security Gateway, select Hit Count from the navigation tree.
2. Select Enable Hit Count to enable the feature or clear it to disable Hit Count.
3. Click OK.
4. Install the Policy.

Configuring the Hit Count Display

These are the options you can configure for how matched connection data is shown in the Hits column:

• Value - Shows the number of matched hits for the rule from supported Security Gateways. Connection hits are not accumulated in the total hit count for:
  • Security Gateways that are not supported
  • Security Gateways that have disabled the hit count feature

  The values are shown with these letter abbreviations:

  • K = 1,000
  • M = 1,000,000
  • G = 1,000,000,000
  • T = 1,000,000,000,000

  For example, 259K represents 259 thousand connections and 2M represents 2 million connections.

• Percentage - Shows the percentage of the number of matched hits for the rule from the total number of matched connections. The percentage is rounded to a tenth of a percent.
• Level - The hit count level is a label for the range of hits according to the table.

  The hit count range = Maximum hit value - Minimum hit value (does not include zero hits)

Hit Count Level	Icon	Range
Zero		0 hits
Low		Less than 10 percent of the hit count range
Medium		Between 10 - 70 percent of the hit count range
High		Between 70 - 90 percent of the hit count range
Very High		Above 90 percent of the hit count range

To show the Hit Count in the Rule Base:

Right-click the heading row of the Rule Base and select Hits.

To configure the Hit Count in a rule:

1. Right-click the rule number of the rule.
2. Select Hit Count and one of these options (you can repeat this action to configure more options):
   • Timeframe - Select All, 1 day, 7 days, 1 month, or 3 months
   • Display. - Select Percentage, Value, or Level

To update the Hit Count in a rule:

1. Right-click the rule number of the rule.
2. Select Hit Count > Refresh.

UserCheck Interaction Objects

UserCheck Interaction Objects add flexibility and give the Security Gateway a mechanism to communicate with users. UserCheck objects are used in a Rule Base to:

• Help users with decisions that can be dangerous to the organization security.
• Share the organization changing internet policy for web applications and sites with users, in real-time.

If a UserCheck object is set as the action on a policy rule, the user browser redirects to the Gaia Administration web portal on port 443 or 80. The portal hosts UserCheck notifications.