Introducing the Access Control Policy

In This Section:

An Access Control Policy Rule Base consists of these types of rules:

Firewall - Control access to the internal network through different access points (gateways)
Application Control and URL Filtering - Prevent malicious applications from compromising any internal company data and the internal network resources

Unified Policy

In R80 the Access Control policy unifies the policies of these pre-R80 Software Blades:

Firewall and VPN
Application Control and URL Filtering
Identity Awareness
Data Awareness
Mobile Access
Security Zones

You can create Access Control policy rules that are based on:

Services
Protocols
Applications
URLs
File types
Data types

The information on connections is collected in one log file from all the Software Blades.

The Columns of the Access Control Rule Base

These are the fields of the rules in the Access Control policy. Not all of these are shown by default. To select a field that does not show, right-click on the Rule Base table header, and select it.

Field	Description
No.	Rule number in the Rule Base Layer.
Hits	Number of connections that match this rule.
Name	Name that the system administrator gives this rule.
Source	Network object that defines where the traffic starts.
Destination	Network object that defines the destination of the traffic.
Services & Applications	Services, Applications, Categories, and Sites. If Application Control and URL Filtering is not enabled, only Services show.
Action	Action that is done when traffic matches the rule. Options include: Accept, Drop, Ask, Inform (UserCheck message), and Reject.
Track	Tracking and logging action that is done when traffic matches the rule.
Install On	Network objects that will get the rule(s) of the policy.
Time	Time period that this rule is enforced.
Comment	An optional field that lets you summarize the rule.

Types of Rules in the Rule Base

There are three types of rules in the Rule Base - explicit, implied and implicit.

Explicit rules

The rules that the administrator configures explicitly, to allow or to block traffic based on specified criteria.

Important - The Cleanup rule is a default explicit rule and is added with every new layer. You can change or delete the default Cleanup rule. We recommend that you have an explicit cleanup rule as the last rule in each layer.

Implied rules

The default rules that are available as part of the Global properties configuration and cannot be edited. You can only select the implied rules and configure their position in the Rule Base:

First - Applied first, before all other rules in the Rule Base - explicit or implied
Last - Applied last, after all other rules in the Rule Base - explicit or implied, but before the Implicit Cleanup Rule
Before Last - Applied before the last explicit rule in the Rule Base

Implied rules are configured to allow connections for different services that the Security Gateway uses. For example, the Accept Control Connections rules allow packets that control these services:

Installation of the security policy on a Security Gateway
Sending logs from a Security Gateway to the Security Management Server
Connecting to third party application servers, such as RADIUS and TACACS authentication servers

Implicit cleanup rule

The default "catch-all" rule that deals with traffic that does not match any explicit or implied rules in the Policy Layers. For R77.30 or earlier versions Security Gateways, the action of the implicit rule depends on the Policy Layer:

Drop - for the Network Layer
Accept - for the Application Control Layer

Note - If you change the default values, the policy installation will fail.

The implicit rules do not show in the Rule Base.

Configuring the Implied Rules

Some of the implied rules are enabled by default. You can change the default configuration as necessary.

To configure the implied rules:

In SmartConsole, from the Menu, select Global Properties.
The Global Properties window opens.
Select a rule to enable it, or clear a rule to disable it.
For the enabled rules, select the position of the rules in the Rule Base:
- First - The rule is applied before any other rule in the Rule Base
- Last - The rule is applied if all other rules in the Rule Base were applied and none of them matched
- Before Last - The rule is applied before the last explicit rule, if none of the other rules in the Rule Base matched
Click OK and install the policy.

Visual Division of the Rule Base with Sections

To better manage a policy with a large number of rules, you can use Sections to divide the Rule Base into smaller, logical components. The division is only visual and does not make it possible to delegate administration of different Sections to different administrators.

Managing Pre-R80 Security Gateways

When you upgrade a pre-R80 Security Management Server that manages pre-R80 Security Gateways to R80, the existing Access Control policies are converted in this way:

The pre-R80 Firewall policy is converted into the Network Policy Layer of the R80 Access Control Policy. The implicit cleanup rule for it is set to Drop all traffic that is not matched by any rule in this Layer.
The pre-R80 Application & URL Filtering policy is converted into the Application Policy Layer, which is the second Layer of the R80 Access Control Policy. The implicit cleanup rule for it is set to Accept all traffic that is not matched by any rule in this Layer.

Important – After upgrade, do not change the Action of the implicit cleanup rules, or the order of the Policy Layers. If you do, the policy installation will fail.

New Access Control Policy for pre-R80 Security Gateways on an R80 Security Management Server must have this structure:

The first Policy Layer is the Network Layer (with the Firewall blade enabled on it).
The second Policy Layer is the Application Control and URL Filtering Layer (with the Application & URL Filtering blade enabled on it).
There are no other Policy Layers.

If the Access Control Policy has a different structure, the policy will fail to install.

You can change the names of the Layers, for example, to make them more descriptive.

Each new Policy Layer will have the explicit default rule, added automatically and set to Drop all the traffic that does not match any rule in that Policy Layer. We recommend that the Action is set to Drop for the Network Policy Layer and Accept for the Application Control Policy Layer.

If you remove the default rule, the Implicit Cleanup Rule will be enforced. The Implicit Cleanup Rule is configured in the Policy configuration window and is not visible in the Rule Base table. Make sure the Implicit Cleanup Rule is configured to Drop the unmatched traffic for the Network Policy Layer and to Accept the unmatched traffic for the Application Control Policy Layer.

Order of Rule Enforcement

When a packet arrives at the gateway, the gateway checks it against the rules in the top Policy Layer, sequentially from top to bottom, and enforces the first rule that matches a packet.

If the Action of the matching rule is Drop, the gateway stops matching against later rules in the Policy Rule Base and drops the packet. If the Action is Accept, the gateway continues to check rules in the next Policy Layer down.

If none of the rules in the Policy Layer match the packet, the explicit Default Cleanup Rule is applied. If this rule is missing, the Implicit Cleanup Rule is applied.

Important - Always add an explicit Default Cleanup Rule at the end of each Policy Layer, and make sure that its Action is the same as the Action of the Implicit Cleanup Rule.

Order in which the rules in each Access Control Policy Layer are applied:

First Implied Rule - No explicit rules can be placed before it.
Explicit Rules - These are the rules that you create.
Before Last Implied Rules - Applied before the last explicit rule.
Last Explicit Rule - We recommend that you use a Cleanup rule as the last explicit rule.
Note - If you use the Cleanup rule as the last explicit rule, the Last Implied Rule and the Implicit Cleanup Rule are not enforced.
Last Implied Rule - Remember that although this rule is applied after all other explicit and implied rules, the Implicit Cleanup Rule is still applied last.
Implicit Cleanup Rule - The default rule that is applied if none of the rules in the Policy Layer match.

Best practices for performance-efficient Access Control Policy

Add all rules that are based only on source and destination IP addresses and ports in a Firewall/Network Policy Layer at the top of the Rule Base
Create Firewall/Network rules to explicitly accept safe traffic, and add the Explicit Cleanup Rule at the bottom of the Policy Layer to drop everything else
Create Application Control rules to explicitly drop unwanted or unsafe traffic, and add the Explicit Cleanup Rule at the bottom of the Policy Layer to accept everything else
Turn XFF inspection off, unless the gateway is behind a proxy server. For more, see: sk92839.

Managing Network Access Control

A firewall controls access to computers, clients, servers, and applications through a set of rules that comprise an Access Control Rule Base. You need to configure a Rule Base that not only provides highly secure Access Control, but optimizes network performance. A strong Access Control Rule Base:

Only allows authorized connections and prevents vulnerabilities in a network
Gives authorized users access to the correct internal resources
Efficiently inspects connections and uses network resources efficiently

Ensuring a Secure Network Access

A robust security policy must have some basic rules in its Rule Base.

Basic Rules

These are basic Access Control rules we recommend for all Rule Bases:

Stealth rule that prevents direct access to the Security Gateway

Cleanup rule that drops all traffic that is not allowed by the earlier rules in the policy

Note - There is also the implicit drop rule that drops all traffic that did not match all other rules. This rule does not create log entries. If you want to log the traffic, create an explicit cleanup rule.

Sample Firewall Rule Base

This shows a sample Firewall Rule Base for a typical security policy. (The Hits and VPN columns are not shown.)


Policy Targets
CorpGW
Remote1GW
Policy Targets
Policy Targets
Policy Targets
Policy Targets
Policy Targets

No	Name	Source	Destination	Service	Action	Track	Install On
1	Stealth	NOT internal	GW-group	Any	Drop	Alert	Policy Targets
2	Critical subnet	Internal	Finance HR R&D	Any	Accept	Log	CorpGW
3	Tech support	TechSupport	Remote1-web	HTTP	Accept	Alert	Remote1GW
4	DNS server	Any	DNS	Domain UDP	Accept	None	Policy Targets
5	Mail and Web servers	Any	DMZ	HTTP HTTPS SMTP	Accept	Log	Policy Targets
6	SMTP	Mail	NOT Internal net group	SMTP	Accept	Log	Policy Targets
7	DMZ & Internet	IntGroup	Any	Any	Accept	Log	Policy Targets
8	Clean up rule	Any	Any	Any	Drop	Log	Policy Targets

Stealth - All traffic that is NOT from the internal company network to one of the Security Gateways is dropped. When a connection matches the Stealth rule, an alert window opens in SmartView Monitor.
Critical subnet - Traffic from the internal network to the specified resources is logged. This rule defines three subnets as critical resources: Finance, HR, and R&D.
Tech support - Allows the Technical Support server to access the Remote-1 web server which is behind the Remote-1 Security Gateway. Only HTTP traffic is allowed. When a packet matches the Tech support rule, the Alert action is done.
DNS server - Allows UDP traffic to the external DNS server. This traffic is not logged.
Mail and Web servers - Allows incoming traffic to the mail and web servers that are located in the DMZ. HTTP, HTTPS, and SMTP traffic is allowed.
SMTP - Allows outgoing SMTP connections to the mail server. Does not allow SMTP connections to the internal network, to protect against a compromised mail server.
DMZ and Internet - Allows traffic from the internal network to the DMZ and Internet.
Clean up rule - Drops all traffic. All traffic that is allowed matched one of the earlier rules.

Preventing IP Spoofing

IP spoofing replaces the untrusted source IP address with a fake, trusted one, to hijack connections to your network. Attackers use IP spoofing to send malware and bots to your protected network, to execute DoS attacks, or to gain unauthorized access.

Anti-Spoofing detects if a packet with an IP address that is behind a certain interface, arrives from a different interface. For example, if a packet from an external network has an internal IP address, Anti-Spoofing blocks that packet.

Example:

The diagram shows a Gateway with interfaces A and B, and C, and some example networks behind the interfaces.

For the Gateway, anti-spoofing makes sure that

All incoming packets to A come from 192.168.33.0
All incoming packets to B come from 192.0.2.0 or 10.10.10.0
All incoming packets to C come from the Internet

If an incoming packet to B has a source IP address in network 192.168.33.0, the packet is blocked, because the source address is spoofed.

When you configure Anti-Spoofing on a Check Point Security Gateway, specify the type of networks that each interface faces - External (Internet) or Internal.

Configuring Anti-Spoofing

Make sure to configure Anti-Spoofing protection on all the interfaces of the Security Gateway, including internal interfaces.

To configure Anti-Spoofing for an interface:

In SmartConsole, go to Gateways & Servers and double-click the gateway object.
The General Properties window of the gateway opens.
From the navigation tree, select Network Management.
Click Get Interfaces.
Click Accept.
The gateway network topology shows. If SmartConsole fails to automatically retrieve the topology, make sure that the details in the General Properties section are correct and the Security Gateway, the Security Management Server, and the SmartConsole can communicate with each other.
Select an interface and click Edit.
The Interface properties window opens.
From the navigation tree, select General.
In the Topology section of the page, click Modify.
The Topology Settings window opens.
Select the type of network the interface leads to:
- External - All external/Internet addresses
- Internal -
  - Not Defined - All IP addresses behind this interface are considered a part of the internal network that connects to this interface
  - Network defined by the interface IP and Net Mask - Only the network that directly connects to this internal interface
  - Specific - A specific network object (a network, a host, an address range, or a network group) behind this internal interface
  - Interface leads to DMZ - The DMZ that directly connects to this internal interface
In the Anti-Spoofing section, make sure that Perform Anti-Spoofing based on interface topology is selected.
Select an Anti-Spoofing action:
- Prevent - Drops spoofed packets
- Detect - Allows spoofed packets. To monitor traffic and to learn about the network topology without dropping packets, select this option together with the Spoof Tracking Log option.
Configure Anti-Spoofing exceptions (optional) - addresses, from which packets are not inspected by Anti-Spoofing:
1. Select Don't check packets from.
2. Select an object from the drop-down list, or click New to create a new object.
Configure Spoof Tracking - select the tracking action that is done when spoofed packets are detected:
- Log - Create a log entry (default)
- Alert - Show an alert
- None - Do not log or alert
Click OK twice to save Anti-Spoofing settings for the interface.

For each interface, repeat the configuration steps. When finished, install the policy.

Excluding Specific Internal Addresses

In some configurations, the Firewall must allow connections with an internal IP address from an external source. For example, an external application can assign internal IP addresses to external clients. You can configure the Anti-Spoofing protection on the external interfaces to ignore connections from these IP addresses. The Firewall allows these connections and does not inspect them.

Managing URL Filtering and Application Control

Today there are many challenges for businesses to keep up with security requirements of social media and Web 2.0 applications. It is necessary for system administrators to use the security policy to overcome these challenges. For example:

Malware threats - Popular applications like Twitter, Facebook, and YouTube can cause users to download viruses unintentionally. When users download files and use torrents, they can also let malware into your network.
Bandwidth hogging - Applications that use a lot of bandwidth can reduce the performance for important business applications.
Loss of productivity - Employees can spend time on social networking and other applications that can decrease business productivity.
Content control - Prevent Internet access to websites with inappropriate content, such as sex and violence.

The Check Point Solution for Internet Browsing

The Check Point URL Filtering and Application Control Software Blades can help organizations of all sizes monitor and control the use of Internet by their employees. You can easily create policies which identify or block thousands of applications and Internet sites.

Use the URL Filtering and Application Control Software Blades to:

Create a Granular Policy - Make rules to allow or block applications and Internet sites for individual applications, categories, and risk levels. You can also create an HTTPS policy that enables Security Gateways to inspect HTTPS traffic and prevent security risks related to the SSL protocol.
Manage Bandwidth Consumption - Configure rules to limit the available network bandwidth for specified users or groups. You can define separate limits for uploading and downloading.
Keep Your Policies Updated - The Application Database is updated regularly, which helps you makes sure that your Internet security policy has the newest applications and website categories. Security Gateways connect to the Check Point Online Web Service to identify new social networking widgets and website categories.
Communicate with Users - UserCheck objects add flexibility to URL Filtering and Application Control and let the Security Gateways communicate with users. UserCheck helps users understand that certain websites are against the company's security policy. It also tells users about the changes in Internet policy related to websites and applications.
Create Custom Objects - In addition to the hundreds of default objects, you can create custom objects, to better manage the use of Internet by your users. Create objects for applications, websites, categories and groups, and use them in your security policy rules.

UserCheck

UserCheck works with the URL Filtering and Application Control Software Blades and lets the Security Gateways send messages to users about possible non-compliant or dangerous Internet browsing. Create UserCheck objects and use them in the Application Control and URL Filtering rules, to communicate with the users. These actions use UserCheck objects:

Inform
Ask
Drop

UserCheck on a Security Gateway

You can enable UserCheck on Security Gateways that use URL Filtering and Application Control Software Blades. When UserCheck is enabled, the user's Internet browser shows the UserCheck messages in a new window.

UserCheck on a computer

The UserCheck client is installed on endpoint computers. This client:

Sends messages for applications that are not based on Internet browsers, such as Skype and iTunes, and Internet browser add-ons and plug-ins.
Shows a message on the computer when it cannot be shown in the Internet browser.

Enabling URL Filtering and Application Control

To enable R80 Application Control and URL Filtering for pre-R80 gateways, enable the Application Control and URL Filtering Software Blades on each gateway. Then, if necessary, create a second Layer for the Application Control and URL Filtering rules. Configure this second Layer for the Access Control Policy.

To enable URL Filtering and Application Control Software Blades on a Security Gateway:

In SmartConsole, go to Gateways & Servers and double-click the gateway object.
The General Properties window of the gateway opens.
From the navigation tree, click General Properties.
In the Network Security tab, select URL Filtering, or Application Control, or both.
Click OK.

To create a second Layer for URL Filtering and Application Control:

In SmartConsole, go to Security Policies.
Right-click a Layer in the Access Control Policy section and select Edit Policy.
The Policy window opens and shows the General view.
In the Access Control section, click the plus sign.
Click New Layer.
The Layer Editor window opens and shows the General view.
Enable Application Control and URL Filtering on the Layer.
1. In the Blades section, enter a name for the Layer.
  We recommend the name Application.
2. Click Application Control and URL Filtering.
3. Click OK and the Layer Editor window closes.
4. Click OK and the Policy window closes.
Install the policy.

Special URL Filtering and Application Control Fields

Internet browsing is not easily defined into allowed and prohibited categories. Many websites and applications can be used for legitimate business reasons. The rules that control Internet access must be flexible and granular. The Access Control Policy Rule Base uses these fields to create a strong and flexible URL Filtering and Application Control security policy:

Services & Applications
Action

Services & Applications

In the Services & Applications column, define the Web applications, sites, services and protocols that are included in the rule. A rule can contain one or more:

Applications
Web sites
Services
Default categories of Internet traffic
Custom categories or groups that you create, that are not included in the Check Point Application Database.

Application Matching

If an application is allowed in the policy, the rule is matched only on the recommended services of the application. This default setting is more secure than allowing the application on all services. For example: a rule that allows Facebook, allows it only on the Application Control Web browsing services: http, https, HTTP_proxy, and HTTPS_proxy.

If an application is blocked in the policy, it is blocked on all services. It is therefore blocked on all ports.

You can change the default match settings for applications.

Configuring Matching for an Allowed Application

You can configure how a rule matches an application or category that is allowed in the policy. You can configure the rule to match the application:

On any service,

On a specified service.

To do this, change the Match Settings of the application or category. The application or category is changed everywhere that it is used in the policy.

To change the matched services for an allowed application or category:

In a rule which has applications or categories in the Services & Applications column, double-click an application or category.
Select Match Settings.
Select an option:
- To match the application with all services, select Any.
- To match the application on specified services:
  1. Select Customize.
  2. Add or remove services.
- To match the application with all services and exclude specified services:
  1. Select Customize.
  2. Add the services to exclude.
  3. Select Negate.
Click OK.

Configuring Matching for Blocked Applications

By default, if an application is blocked in the policy, it is blocked on all services. It is therefore blocked on all ports.

You can configure the matching for blocked applications so that they are matched on the recommended services. For Web applications, the recommended services are the Web browsing services.

If the match settings of the application are configured to Customize, the blocked application is matched on the customized services. It is not matched on all ports.

To configure matching for blocked applications:

In SmartConsole, click Manage & Settings > Blades > Application Control and URL Filtering > Advanced Settings > Application Control Web Browsing Services.
Configure Match web application on ‘Any’ port when used in ‘Block’ rule:
Note - This setting applies to all applications, not only to Web applications.
- Selected - This is the default. If an application is blocked in the Rule Base, the application is matched to Any port.
- Not selected - If an application is blocked in the Rule Base, the application is matched to the services that are configured in the application object of the application. However, some applications are still matched on Any. These are applications (Skype, for example) that do not limit themselves to a standard set of services.

Summary of Application Matching in a "Block" Rule

Application - Match Setting	Checkbox: Match web application on 'Any' port when used in 'Block' rule	Blocked Application is Matched on Service
Recommended services (default)	Selected (default)	Any
Recommended services (default)	Not selected	Recommended services
Customize	Not relevant	Customized
Any	Not relevant	Any

Adding Services, Applications, and Sites to a rule

You can add services to a rule, or applications and sites.

To add services, applications or sites to a rule:

In the Security Policies view of SmartConsole, go to the Access Control Policy.
To add applications to a rule, select the Application Control Layer.
Right-click the Services & Applications cell for the rule and select Add New Items.
Search for the services, sites, applications, or categories.
Click the + next to the ones you want to add.

Creating Custom Applications, Categories, and Groups

You can create custom applications, categories or groups, that are not included in the Check Point Application Database.

To create a new application or site:

In the Security Policies view of SmartConsole, go to the Access Control Policy.
Select the Application Control Layer.
Right-click the Services & Applications cell for the rule and select Add New Items.
The Application viewer window opens.
Click New > Custom Applications/Site > User Application.
Enter a name for the object.
Enter one or more URLs.
If you used a regular expression in the URL, click URLs are defined as Regular Expressions.

Note - If the application or site URL is defined as a regular expression you must use the correct syntax.
Click OK.

To create a custom category:

In the Security Policies view of SmartConsole, go to the Access Control Policy.
Select the Application Control Layer.
Right-click the Services & Applications cell for the rule and select Add New Items.
The Application viewer window opens.
Click New > Custom Applications/Site > User Category.
Enter a name for the object.
Enter a description for the object.
Click OK.

Action

In the Action field, define what occurs to traffic that matches the URL Filtering and Application Control rule. These are the Action options:

Action	Description
Accept	Allows the traffic.
Drop	Blocks the traffic. Optionally, shows a UserCheck Block message.
Limit	Limits the bandwidth that is permitted for a rule. Add a Limit object to configure a maximum throughput for uploads and downloads.
Enable Identity Captive Portal	Redirects HTTP traffic to an authentication (captive) portal. After the user is authenticated, new connections from this source are inspected without requiring authentication.

UserCheck Actions

These are the Action options that work with UserCheck:

Action	Description
Drop	Blocks the traffic. Optionally, shows a UserCheck Block message.
Ask	Shows a UserCheck Ask message. The message asks users to confirm that it is necessary that they go to the application or site.
Inform	Sends a message to the user attempting to access the application
UserCheck Frequency	Defines how often users see the UserCheck message for Ask, Inform, or Block actions.
Confirm UserCheck	Select the action that triggers a UserCheck message: Per rule - UserCheck message shows only once when traffic matches a rule. Per category - UserCheck message shows for each matching category in a rule. Per application/Site - UserCheck message shows for each matching application in a rule. Per Data type - UserCheck message shows for each matching data type.

Sample URL Filtering and Application Control Rules

This shows some examples of URL Filtering and Application Control rules for a typical policy that monitors and controls Internet browsing. (The Hits and Install On columns are not shown.)


Any
Any
Work-Hours
Any
Any
Any

No.	Name	Source	Destination	Applications/ Sites	Action	Track	Time
1	Liability sites	Any	Internet	Potential liability	Blocked Message	Log	Any
2	High risk applications	Any	Internet	High Risk iTunes	High Risk Block Message	Log	Any
3	Allow IT department Remote Admin	IT	Any	Radmin	Allow	Log	Work- Hours
4	Allow Facebook for HR	HR	Internet	Facebook	Allow Download_1Gbps Down: 1 Gbps	Log	Any
5	Block these categories	Any	Internet	Streaming Media Social Networking P2P File Sharing Remote Administration	Blocked Message	Log	Any
6	Log all applications	Any	Internet	Any Recognized	Allow	Log	Any

Liability sites- Blocks traffic to sites and applications in the Potential_liability category. The UserCheck Blocked Message is shown to users and explains why their traffic is blocked.
High risk applications - Blocks traffic to sites and applications in the High Risk category and blocks the iTunes application. The UserCheck High Risk Block Message is shown to users and explains why their traffic is blocked.
Allow IT department Remote Admin - Allows the computers in the IT department network to use the Radmin application. Traffic that uses Radmin is allowed only during the Work-Hours (set to 8:00 through 18:30, for example).
Allow Facebook for HR - Allows computers in the HR network to use Facebook. The total traffic downloaded from Facebook is limited to 1 Gbps, there is no upload limit.
Block these categories - Blocks traffic to these categories: Streaming Media, Social Networking, P2P File Sharing, and Remote Administration. The UserCheck Blocked Message is shown to users and explains why their traffic is blocked.
Note - The Remote Administration category blocks traffic that uses the Radmin application. If this rule is placed before rule 3, then this rule can also block Radmin for the IT department.
Log all applications- Logs all traffic that matches any of the URL Filtering and Application Control categories.

Analyzing the Rule Base (Hit Count)

Use the Hit Count feature to track the number of connections that each rule matches. You can show Hit Count for the rules in these options:

The percentage of the rule hits from total hits
The indicator level (very high, high, medium, low, or zero)

These options are configured in the Access Control Policy Rule Base and also changes how Hit Count is shown in other supported Software Blades.

When you enable Hit Count, the Security Management Server collects the data from supported Security Gateways (from version R75.40 and up). Hit Count works independently from logging and tracks the hits even if the Track option is None.

You can use the Hit Count data to:

Analyze a Rule Base - You can delete rules that have no matching connections

Note - If you see a rule with a zero hit count it only means that in the Security Gateways enabled with Hit Count there were no matching connections. There can be matching connections on other Security Gateways.

Improve Firewall performance - You can move a rule that has a high hit count to a higher position in the Rule Base
Better understand the behavior of the Access Control Policy

Enabling or Disabling Hit Count

By default, Hit Count is globally enabled for all supported Security Gateways (from R75.40). The timeframe setting that defines the data collection time range is configured globally. If necessary, you can disable Hit Count for one or more Security Gateways.

After you enable or disable Hit Count you must install the Policy for the Security Gateway to start or stop collecting data.

To enable or disable Hit Count globally:

In SmartConsole, click Menu > Global properties.
Select Hit Count from the tree.
Select the options:
- Enable Hit Count - Select to enable or clear to disable all Security Gateways to monitor the number of connections each rule matches.
- Keep Hit Count data up to - Select one of the time range options. The default is 6 months. Data is kept in the Security Management Server database for this period and is shown in the Hits column.
Click OK.
Install the Policy.

To enable or disable Hit Count on each Security Gateway:

From the Gateway Properties for the Security Gateway, select Hit Count from the navigation tree.
Select Enable Hit Count to enable the feature or clear it to disable Hit Count.
Click OK.
Install the Policy.

Configuring the Hit Count Display

These are the options you can configure for how matched connection data is shown in the Hits column:

Value - Shows the number of matched hits for the rule from supported Security Gateways. Connection hits are not accumulated in the total hit count for:
- Security Gateways that are not supported
- Security Gateways that have disabled the hit count feature
The values are shown with these letter abbreviations:
- K = 1,000
- M = 1,000,000
- G = 1,000,000,000
- T = 1,000,000,000,000
For example, 259K represents 259 thousand connections and 2M represents 2 million connections.
Percentage - Shows the percentage of the number of matched hits for the rule from the total number of matched connections. The percentage is rounded to a tenth of a percent.
Level - The hit count level is a label for the range of hits according to the table.
The hit count range = Maximum hit value - Minimum hit value (does not include zero hits)

Hit Count Level	Icon	Range
Zero		0 hits
Low		Less than 10 percent of the hit count range
Medium		Between 10 - 70 percent of the hit count range
High		Between 70 - 90 percent of the hit count range
Very High		Above 90 percent of the hit count range

To show the Hit Count in the Rule Base:

Right-click the heading row of the Rule Base and select Hits.

To configure the Hit Count in a rule:

Right-click the rule number of the rule.
Select Hit Count and one of these options (you can repeat this action to configure more options):
- Timeframe - Select All, 1 day, 7 days, 1 month, or 3 months
- Display. - Select Percentage, Value, or Level

To update the Hit Count in a rule:

Right-click the rule number of the rule.
Select Hit Count > Refresh.

Inspection Settings

You can configure inspection settings for the Firewall:

Deep packet inspection settings
Protocol parsing inspection settings
VoIP packet inspection settings

The Security Management Server comes with two preconfigured inspection profiles for the Firewall:

Default Inspection
Recommended Inspection

When you configure a Security Gateway, the Default Inspection profile is enabled for it. You can also assign the Recommended Inspection profile to the Security Gateway, or to create a custom profile and assign it to the Security Gateway.

To activate the Inspection Settings, install the Access Control Policy.

Note - In a pre-R80 SmartConsole, Inspection Settings are configured as IPS Protections.

Configuring Inspection Settings

To configure Inspection Settings:

In SmartConsole, go to the Manage & Settings > Blades view.
In the General section, click Inspection Settings.
The Inspection Settings window opens.

You can:

Edit inspection settings
Edit user-defined Inspection Settings profiles. You cannot change the Default Inspection profile and the Recommended Inspection profile.
Assign Inspection Settings profiles to Security Gateways
Configure exceptions to settings

To edit a setting:

In the Inspection Settings > General view, select a setting.
Click Edit.
In the window that opens, select a profile, and click Edit.
The settings window opens.
Select the Main Action:
- Default Action - preconfigured action
- Override with Action - from the drop-down menu, select an action with which to override the default - Accept, Drop, Inactive (the setting is not activated)
Configure the Logging Settings
Select Capture Packets, if you want to be able to examine packets that were blocked in Drop rules.
Click OK.
Click Close.

To view settings for a certain profile:

In the Inspection Settings > General view, click View > Show Profiles.
In the window that opens, select Specific Inspection settings profiles.
Select profiles.
Click OK.
Only settings for the selected profiles are shown.

You can add, edit, clone, or delete custom Inspection Settings profiles.

To edit a custom Inspection Settings profile:

In the Inspection Settings > Profiles view, select a profile.
Click Delete, to remove it, or click Edit to change the profile name, associated color, or tag.
If you edited the profile attributes, click OK to save the changes.

To clone an Inspection Settings profile:

In the Inspection Settings > Profiles view, select the profile, and click Clone.
In the New Profile window that opens, edit the profile attributes:
Click OK.

To add a new Inspection Settings profile:

In the Profiles view, click New.
In the New Profile window that opens, edit the profile attributes:
Click OK.

To assign an Inspection Settings profile to a Security Gateway:

In the Inspection Settings > Gateways view, select a gateway, and click Edit.
In the window that opens, select an Inspection Settings profile.
Click OK.

To configure exceptions to inspection settings:

In the Inspection Settings > Exceptions view, click New to add a new exception, or select an exception and click Edit to modify an existing one.
The Exception Rule window opens.
Configure the exception settings:
- Apply To - select the Profile to which to apply the exception
- Protection - select the setting
- Source - select the source Network Object, or select IP Address and enter a source IP address
- Destination - select the destination Service Object, or select Port/Range, TCP or UDP, and enter a destination port number or a range of port numbers
- Install On - select a gateway on which to install the exception
Click OK.

To enforce the changes, install the Access Control Policy.