The Columns of the Access Control Rule Base

The Columns of the Access Control Rule Base

These are the columns of the rules in the Access Control policy. Not all of these are shown by default. To select a column that does not show, right-click on the header of the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase., and select it.

Column

Description

No

RuleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. number in the Rule Base Layer.

Hits

Number of times that connections match a rule.

See Analyzing the Rule Base Hit Count.

Name

Name that the system administrator gives this rule.

Source

Destination

Network objects that define:

  • Where the traffic starts

  • The destination of the traffic

See Source and Destination Column.

VPN

The VPN Community to which the rule applies.

See VPN Column.

Services & Applications

Services, Applications, Categories, and Sites.

If Application & URL FilteringClosed Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. is not enabled, only Services show.

See Services & Applications Column.

Content

The data asset to protect, for example, credit card numbers or medical records.

You can set the direction of the data to Download Traffic (into the organization), Upload Traffic (out of the organization), or Any Direction.

See Content Column.

Action

Action that is done when traffic matches the rule. Options include: Accept, Drop, Ask, Inform (UserCheck message), Inline LayerClosed Set of rules used in another rule in Security Policy., and Reject.

See Actions.

Track

Tracking and logging action that is done when traffic matches the rule.

See Tracking Column.

Install On

Network objects that will get the rule(s) of the policy.

See Installing the Access Control Policy.

Time

Time period that this rule is enforced.

Comment

An optional field that lets you summarize the rule.

Source and Destination Column

In the Source and Destination columns of the Access Control Policy Rule Base, you can add Network objects including groups of all types.

Here are some of the Network objects you can include:

To Learn More About Network Objects

You can add network objects to the Source and Destination columns of the Access Control Policy. See Managing Objects.

VPN Column

You can configure rules for Site-to-Site VPN, Remote Access VPN, and the Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Portal and clients.

To make a rule for a VPN Community, add a Site-to-Site Community or a Remote Access VPN Community object to this column, or select Any to make the rule apply to all VPN Communities.

When you enable Mobile Access on a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., the Security Gateway is automatically added to the RemoteAccess VPN Community. Include that Community in the VPN column of the rule or use Any to make the rule apply to Mobile Access Security Gateways. If the Security Gateway was removed from the VPN Community, the VPN column must contain Any.

IPsec VPN

The IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. solution lets the Security Gateway encrypt and decrypt traffic to and from other Security Gateways and clients. Use SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. SmartConsole to easily configure VPN connections between Security Gateways and remote devices.

For Site-to-Site Communities, you can configure Star and Mesh topologies for VPN networks, and include third-party gateways.

The VPN tunnel guarantees:

  • Authenticity - Uses standard authentication methods

  • Privacy - All VPN data is encrypted

  • Integrity - Uses industry-standard integrity assurance methods

IKE and IPsec

The Check Point VPN solution uses these secure VPN protocols to manage encryption keys, and send encrypted packets. IKE (Internet Key Exchange) is a standard key management protocol that is used to create the VPN tunnels. IPsec is protocol that supports secure IP communications that are authenticated and encrypted on private or public networks.

Mobile Access to the Network

Check Point Mobile Access lets remote users easily and securely use the Internet to connect to internal networks. Remote users start a standard HTTPS request to the Mobile Access Security Gateway, and authenticate with one or more secure authentication methods.

The Mobile Access Portal lets mobile and remote workers connect easily and securely to critical resources over the internet. Check Point Mobile Apps enable secure encrypted communication from unmanaged smartphones and tablets to your corporate resources. Access can include internal apps, email, calendar, and contacts.

To include access to Mobile Access applications in the Rule Base, include the Mobile Application in the Services & Applications column.

To give access to resources through specified remote access clients, create Access Roles for the clients and include them in the Source column of a rule.

To Learn More About VPN

To learn more about Site-to-Site VPN and Remote Access VPN, see these guides:

Services & Applications Column

In the Services & Applications column of the Access Control Rule Base, define the applications, sites, and services that are included in the rule. A rule can contain one or more:

  • Services

  • Applications

  • Mobile Applications for Mobile Access

  • Web sites

  • Default categories of Internet traffic

  • Custom groups or categories that you create, that are not included in the Check Point Application Database.

Service Matching

The Security Gateway identifies (matches) a service according to IP protocol, TCP and UDP port number, and protocol signature.

To make it possible for the Security Gateway to match services by protocol signature, you must enable Application & URL Filtering on the Security Gateway and on the Ordered Layer (see Enabling Access Control Features ).

You can configure TCP and UDP services to be matched by source port.

Application Matching

If an application is allowed in the policy, the rule is matched only on the Recommended services of the application. This default setting is more secure than allowing the application on all services. For example: a rule that allows Facebook, allows it only on the Application ControlClosed Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. Web Browsing Services: http, https, HTTP_proxy, and HTTPS_proxy.

If an application is blocked in the policy, it is blocked on all services. It is therefore blocked on all ports.

You can change the default match settings for applications.

Services and Applications on R77.30 and Lower Security Gateways, and after Upgrade

For Security Gateways R77.30 and lower:

  • The Security Gateway matches TCP and UDP services by port number. The Security Gateway cannot match services by protocol signature.

  • The Security Gateway matches applications by the application signature.

When you upgrade the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. to R80 and higher and the Security Gateways to R80.10 and higher, this change of behavior occurs:

  • Applications that were defined in the Application & URL Filtering Rule Base are accepted on their recommended ports

Content Column

You can add Data Types to the Content column of rules in the Access Control Policy.

To use the Content column, you must enable Content Awareness, in the General Properties page of the Security Gateway, and on the Layer.

A Data TypeClosed Classification of data in a Check Point Security Policy for the Content Awareness Software Blade. is a classification of data. The Security Gateway classifies incoming and outgoing traffic according to Data Types, and enforces the Policy accordingly.

You can set the direction of the data in the Policy to Download Traffic (into the organization), Upload Traffic (out of the organization), or Any Direction.

There are two kinds of Data Types: Content Types (classified by analyzing the file content) and File Types (classified by analyzing the file ID).

Content Type examples:

  • PCI - credit card numbers

  • HIPAA - Medical Records Number - MRN

  • International Bank Account Numbers - IBAN

  • Source Code - JAVA

  • U.S. Social Security Numbers - According to SSA

  • Salary Survey Terms

File type examples:

  • Viewer File - PDF

  • Executable file

  • Database file

  • Document file

  • Presentation file

  • Spreadsheet file

Notes:

Limitations:

  • Content Awareness supports more than 60 character sets (charsets) for text files, including Japanese, Korean, Greek, and Arabic. If the inspected traffic does not include a supported charset, uses UTF-8 for decoding. To see the list of supported charsets, and to learn how to change the default charset, see sk116155.

  • Content Awareness supports Data Types based on file name. For specific HTTP traffic where the file name is not part of the URL or content-disposition header, the file name may be incorrect.

To learn more about the Data Types, open the Data Type object in SmartConsole and press the ? button (or F1 key) to see the Help.

To learn more about DLP, see the R81.10 Data Loss Prevention Administration Guide.

Actions

Action

Meaning

Accept

Accepts the traffic

Drop

Drops the traffic. The Security Gateway does not send a response to the originating end of the connection and the connection eventually does a time-out. If no UserCheck object is defined for this action, no page is displayed.

Ask

Asks the user a question and adds a confirmatory check box, or a reason box. Uses a UserCheck object.

Inform

Sends a message to the user attempting to access the application or the content. Uses a UserCheck object.

To see these actions, right-click and select More:

Reject

Rejects the traffic. The Security Gateway sends an RST packet to the originating end of the connection and the connection is closed.

UserCheck Frequency

Configure how often the user sees the configured message when the action is ask, inform, or block.

Confirm UserCheck

Select the action that triggers a UserCheck message:

  • Per rule - UserCheck message shows only once when traffic matches a rule.

  • Per category - UserCheck message shows for each matching category in a rule.

  • Per application/Site - UserCheck message shows for each matching application/site in a rule.

  • Per Data type - UserCheck message shows for each matching data type.

Limit

Limits the bandwidth that is permitted for a rule.

Add a Limit object to configure a maximum throughput for uploads and downloads.

Important:

After policy installation, a bandwidth limit is not enforced on a connection that is matched to an Access Control rule with the Action "Limit" in one of these scenarios:

  • The 'Keep all connections' option is selected in the security object

  • The 'Keep connections open after the policy has been installed' option is selected in the Service object used in this rule

Enable Identity Captive Portal

Redirects HTTP traffic to an authentication (captive) portal. After the user is authenticated, new connections from this source are inspected without requiring authentication.

Important - A rule that drops traffic, with the Source and Destination parameters defined as Any, also drops traffic to and from the Captive Portal.

Tracking Column

These are some of the Tracking options:

  • None - Do not generate a log.

  • Log -This is the default Track option. It shows all the information that the Security Gateway used to match the connection.

  • Accounting - Select this to update the log at 10 minute intervals, to show how much data has passed in the connection: Upload bytes, Download bytes, and browse time.

To Learn More About Tracking

To learn more about Tracking options, see the R81.10 Logging and Monitoring Administration Guide.