Application and URL Filtering - Advanced Settings - General

What can I do here?

Use this window to configure general settings for the Application and URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities.. These are global settings that apply to all Security Gateways with Application and URL Filtering enabled.

Getting Here - Manage & Settings > Blades > Application and URL Filtering > Advanced Settings > General

Advanced Settings on a SmartConsole connected to a Multi-Domain Server

Note - When you open Manage & Settings > Blades > Application and URL Filtering > Advanced Settings from a SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. connected to a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., only this section shows.

Services

By default, HTTPS traffic on port 443 and HTTP and HTTPS proxy on port 8080 is inspected. You can include more services and ports in the inspection by adding them to the services list.

To select other HTTPS/HTTP services, put your mouse in the column and a plus sign shows. Click the plus sign to open the list of services and select a service. Other services, such as SSH are not supported.

Web Browsing

If you do not enable URL Filtering on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., you can use a generic Web browser application called Web Browsing in the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

This application includes all HTTP traffic that is not a defined application. Because Web Browsing traffic can generate many logs, the Web browsing application has its own activation setting.

Application and URL Filtering assigns Web Browsing as the default application for all HTTP traffic that does not match an application in the Application and URL Filtering Database. The Web Browsing application is activated by default.

If you deactivate the Web browsing application:

Web Browsing in Access Control Policy rules is not enforced. For example, if you have a rule that blocks Web Browsing, traffic is allowed.
No Web Browsing logs are generated.

To deactivate the Web Browsing application:

Go to Manage & Settings > blades > Application and URL Filtering > Advanced Settings.
Deselect Enable web browsing logging and policy enforcement.

Fail Mode

You can select the enforcement option to use if the Application and URL Filtering engine fails during inspection.

To select the enforcement option

Go to Manage & Settings > Blades > Application and URL Filtering > Advanced Settings.
In the Application Settings window, select one option:
- Allow all requests (fail-open) - All traffic is allowed.
- Block all requests (fail-close) - All traffic is blocked (default).

URL Filtering

In this section of the Application Settings window, you can enable these URL Filtering features:

Categorize HTTPS sites (without activating HTTP inspection).
Enforce safe search in search engines.
Categorize cached pages and translated pages in search engines.

Categorize HTTP sites

This option lets Application and URL Filtering assign categories to HTTPS sites without activating HTTPS inspection. It assigns a site category based on its domain name and whether the site has a valid certificate. If the server certificate is:

Trusted - Application and URL Filtering gets the domain name from the certificate and uses it to categorize the site.
Not Trusted - Application and URL Filtering assigns a category based on the IP address.

Application and URL Filtering uses these pages (in the SmartConsole Manage & Settings tab > Blades > HTTPS Inspection > Configure in SmartDashboard) to make sure that a certificate is valid:

Trusted CAs page - Makes sure the certificate is not stolen or revoked.

Note : If your company issues certificates, you must add your company CA to the list of Trusted CAs.

HTTPS Validation page - If the certificate is blacklisted, for example, it is not trusted and the site categorized according to its IP address.

Important - Application and URL Filtering gets the site URL from the SSL "CONNECT" request sent to the proxy, if:

There is a proxy between the Firewall and the destination site or
The Firewall is configured to work as a proxy

When the Categorize HTTPS sites option is selected, these settings from the HTTPS validation page are applied:

Certificate Blacklisting
Automatically retrieve intermediate certificate

Enforce safe search in search engines

Select this option to require use of the safe search feature in search engines. When activated, the URL Filtering Policy uses the strictest available safe search option for the specified search engine. This option overrides user specified search engine options to block offensive material in search results.

Categorize cached pages and translated pages in search engines

Select this option to assign categories to cached search engine results and translated pages. When this option is selected, Application and URL Filtering assigns categories based on the original Web site instead of the 'search engine pages' category.

Connection Unification

Application and Web site traffic generate a large quantity of logs. To make logs manageable, Application and URL Filtering consolidates logs by session. A session is a period that starts when the user first connects to an application or site. The Security Gateway generates one log entry for each application or site accessed during the session. All actions that occur during are included in the log.

To change the length of a session:

Go to Manage & Settings > Blades > Application and URL Filtering > Advanced Settings.
In the Application Settings window:
- For applications and sites that are allowed in a Rule Base All rules configured in a given Security Policy. Synonym: Rulebase., the default session is three hours (180 minutes). To change this, click Session Unification Timeout and enter a different value, in minutes.
- For applications and sites that are blocked in the Rule Base, the default session is 30 seconds. You cannot change this setting.

Application Control Web Browsing Services

Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. Web browsing services are the services that match a Web-based custom Application/Site.

These are the default Application Control Web browsing services:

http on port 80
https on port 443
HTTPS_proxy on port 8080
HTTP_proxy on port 8080

Other services, such as SSH are not matched.

To add to the list of services that match Web applications:

Go to Manage & Settings > Blades > Application and URL Filtering > Advanced Settings.
In the Application and URL Filtering Settings window:
1. Click the add icon to open the list of services.
2. Select a service.

Application Port Match

Match Web application on 'Any' port when used in Block rule - By default, this is selected, and applications are matched on all services when used in a Block rule.

Domain Level Permissions

Selecting this option allows the editing of applications, categories, and services used in the Global Domain.

Web Browsing

If you do not enable URL Filtering on the Security Gateway, you can use a generic Web browser application called Web Browsing in the rule.

This application includes all HTTP traffic that is not a defined application. Because Web Browsing traffic can generate many logs, the Web browsing application has its own activation setting.

If you deactivate the Web browsing application:

Web Browsing in Access Control Policy rules is not enforced. For example, if you have a rule that blocks Web Browsing, traffic is allowed.
No Web Browsing logs are generated.

To deactivate the Web Browsing application:

Go to Manage & Settings > blades > Application and URL Filtering > Advanced Settings.
Deselect Enable web browsing logging and policy enforcement.

HTTP Inspection

Enable HTTP inspection on non standard ports for application and URL filtering - Applications that use HTTP normally send the HTTP traffic on TCP port 80. Some applications send HTTP traffic on other ports also.

By default, the Application and URL Filtering Software Blades inspect HTTP traffic on non-standard ports.

You can configure the Application and URL Filtering Software Blades to only inspect HTTP traffic on port 80.

Compatibility with R75 and R75.10 Gateway Settings

These settings are for compatibility with Security Gateway versions earlier than R75.20:

Unify connections from the same user/IP to a specific application into a single session/log
- Select this to unify logs for all application traffic during a session into one log. This is the default.
- Clear this to generate one log for each connection or activity during a session
Issue a separate log per each domain accessed

Optional: When you select the Unify connections option, this additional option is available:
- When cleared, connections of the Web Browsing application from a user or IP address during a session are consolidated into one log record. This is the default.
- When selected, connections of the Web Browsing application generate one log for each domain that a user or IP address browses to, for each session.