Creating Application Control and URL Filtering Rules
Create and manage the Policy for Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. and URL Filtering
Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. in the Access Control Policy, in the Access Control view of SmartConsole
Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. Application Control and URL Filtering rules define which users can use specified applications and sites from within your organization and what application and site usage is recorded in the logs.
To learn which applications and categories have a high risk, look through the Application Wiki in the Access Tools part of the Security Policies view. Find ideas for applications and categories to include in your Policy.
To see an overview of your Access Control Policy and traffic, see the Access Control view in Logs & Monitor > New Tab > Views.
|
Best Practice - Do not use Application Control and URL Filtering in the same rule |

Scenario: I want to monitor all Facebook traffic in my organization. How can I do this?
To monitor all Facebook application traffic:
-
In the Security Policies
Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. view of SmartConsole, go to the Access Control Policy.
-
Choose a Layer with Applications and URL Filtering enabled.
-
Click one of the Add rule toolbar buttons to add the rule in the position that you choose in the Rule Base
All rules configured in a given Security Policy. Synonym: Rulebase.. The first rule matched is applied.
-
Create a rule that includes these components:
- Name - Give the rule a name, such as Monitor Facebook.
- Source - Keep it as Any so that it applies to all traffic from the organization.
- Destination - Keep it as Internet so that it applies to all traffic going to the internet or DMZ.
-
Services & Applications - Click the plus sign to open the Application viewer. Add the Facebook application to the rule:
-
Start to type "face" in the Search field. In the Available list, see the Facebook application.
-
Click each item to see more details in the description pane.
-
Select the items to add to the rule.
Note - Applications are matched by default on their Recommended services. You can change this (see Configuring Matching for an Allowed Application). Each service runs on a specific port. The recommended Web Browsing Services are
http
,https
,HTTP_proxy
, andHTTPS_proxy
. -
-
Action - Select Accept
-
Track - Select Log
-
Install On - Keep it as Policy Targets for or all Security Gateways, or choose specific Security Gateways, on which to install the rule
The rule allows all Facebook traffic but logs it. You can see the logs in the Logs & Monitor view, in the Logs tab. To monitor how people use Facebook in your organization, see the Access Control view (SmartEvent Server required).

Scenario: I want to block pornographic sites in my organization, and tell the user about the violation. How can I do this?
To block an application or category of applications and tell the user about the policy violation:
-
In the Security Policies view of SmartConsole, go to the Access Control Policy.
-
Choose a Layer with Applications and URL Filtering enabled.
-
Create a rule that includes these components:
-
Services & Applications - Select the Pornography category.
-
Action - Drop, and a UserCheck Blocked Message - Access Control
The message informs users that their actions are against company policy and can include a link to report if the website is included in an incorrect category.
-
Track - Log
Note - This Rule Base example contains only those columns that are applicable to this subject.
-
The rule blocks traffic to pornographic sites and logs attempts to access those sites. Users who violate the rule receive a UserCheck message that informs them that the application is blocked according to company security policy. The message can include a link to report if the website is included in an incorrect category.
|
Important - A rule that blocks traffic, with the Source and Destination parameters defined as Any, also blocks traffic to and from the Captive Portal. |

Scenario: I want to limit my employees' access to streaming media so that it does not impede business tasks.
If you do not want to block an application or category, there are different ways to set limits for employee access:
-
Add a Limit object to a rule to limit the bandwidth that is permitted for the rule.
-
Add one or more Time objects to a rule to make it active only during specified times.
The example rule below:
-
Allows access to streaming media during non-peak business hours only.
-
Limits the upload throughput for streaming media in the company to 1 Gbps.
To create a rule that allows streaming media with time and bandwidth limits:
-
In the Security Policies view of SmartConsole, go to the Access Control Policy.
-
Choose a Layer with Applications and URL Filtering enabled.
-
Click one of the Add Rule toolbar buttons to add the rule in the position that you choose in the Rule Base.
-
Create a rule that includes these components:
-
Services & Applications - Media Streams category.
Note - Applications are matched on their Recommended services, where each service runs on a specific port, such as the default Application Control Web browsing Services:
http
,https
,HTTP_proxy
, andHTTPS_proxy
. To change this, see Services & Applications Column. -
Action - Click More and select Action: Accept, and a Limit object.
-
Time - Add a Time object that specifies the hours or time period in which the rule is active.
Note - The Time column is not shown by default in the Rule Base table. To see it, right-click on the table header and select Time.
-
|
Important:
|

Scenario: I want to allow a Remote Access application for a specified group of users and block the same application for other users. I also want to block other Remote Access applications for everyone. How can I do this?
If you enable Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. on a Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., you can use it together with Application Control to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object.
In this example:
-
You have already created an Access Role Identified_Users that represents all identified users in the organization. You can use this to allow access to applications only for users who are identified on the Security Gateway.
-
You want to allow access to the Radmin Remote Access tool for all identified users.
-
You want to block all other Remote Access tools for everyone within your organization. You also want to block any other application that can establish remote connections or remote control.
To do this, add two new rules to the Rule Base:
-
Create a rule and include these components:
-
Source - The Identified_Users access role
-
Destination -Internet
-
Services & Applications - Radmin
-
Action -Accept
-
-
Create another rule below and include these components:
-
Source - Any
-
Destination - Internet
-
Services & Applications - The category: Remote Administration
-
Action - Block
-
|
Notes on these rules::
|
For more about Access Roles and Identity Awareness, see the R81.10 Identity Awareness Administration Guide.

Scenario: I want to block sites that are associated with categories that can cause liability issues. Most of these categories exist in the Application Database but there is also a custom defined site that must be included. How can I do this?
You can do this by creating a custom group and adding all applicable categories and the site to it. If you enable Identity Awareness on a Security Gateway, you can use it together with URL Filtering to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object.
In this example:
-
You have already created
-
An Access Role that represents all identified users in the organization (Identified_Users).
-
A custom application for a site named FreeMovies.
-
-
You want to block sites that can cause liability issues for everyone within your organization.
-
You will create a custom group that includes Application Database categories as well as the previously defined custom site named FreeMovies.

-
In the Object Explorer, click New > More > Custom Application/Site > Application/Site Group.
-
Give the group a name. For example, Liability_Sites.
-
Click + to add the group members:
-
Search for and add the custom application FreeMovies.
-
Select Categories, and add the ones you want to block (for example Anonymizer, Critical Risk, and Gambling)
-
Click Close
-
-
Click OK.
You can now use the Liability_Sites group in the Access Control Rule Base.

In the Security Policies view of SmartConsole, go to the Access Control Policy.
-
Source - The Identified_Users access role
-
Destination - Internet
-
Services & Applications - Liability_Sites
-
Action - Drop
Note - Applications are matched on their Recommended services, where each service runs on a specific port, such as the default Application Control Web Browsing Services:
http
,https
,HTTP_proxy
, andHTTPS_proxy
. To change this see Changing Services for Applications and Categories.
Blocking URL Categories
Scenario: I want to block pornographic sites. How can I do this?
You can do this by creating a rule that blocks all sites with pornographic material with the Pornography category. If you enable Identity Awareness on a Security Gateway, you can use it together with URL Filtering to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object.
In this example:
-
You have already created an Access Role (Identified_Users) that represents all identified users in the organization.
-
You want to block sites related to pornography.
The procedure is similar to Blocking Applications and Informing Users.