Creating Application Control and URL Filtering Rules

Create and manage the Policy for Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. and URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. in the Access Control Policy, in the Access Control view of SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. Application Control and URL Filtering rules define which users can use specified applications and sites from within your organization and what application and site usage is recorded in the logs.

To learn which applications and categories have a high risk, look through the Application Wiki in the Access Tools part of the Security Policies view. Find ideas for applications and categories to include in your Policy.

To see an overview of your Access Control Policy and traffic, see the Access Control view in Logs & Monitor > New Tab > Views.

Best Practice - Do not use Application Control and URL Filtering in the same rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., this may lead to wrong rule matching. Use Application Control and URL Filtering in separate rules. This makes sure that the URL Filtering rule is used as soon as the category is identified. For more information, see sk174045.

Monitoring Applications

Scenario: I want to monitor all Facebook traffic in my organization. How can I do this?

To monitor all Facebook application traffic:

In the Security Policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. view of SmartConsole, go to the Access Control Policy.
Select a Layer with Applications and URL Filtering enabled.
Click one of the Add rule toolbar buttons to add the rule in the position that you choose in the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase.. The first rule matched is applied.

Create a rule that includes these components:

Name - Give the rule a name, such as Monitor Facebook.
Source - Keep it as Any so that it applies to all traffic from the organization.
Destination - Keep it as Internet so that it applies to all traffic going to the internet or DMZ.

Services & Applications - Click the plus sign to open the Application viewer. Add the Facebook application to the rule:

Start to type "face" in the Search field. In the Available list, see the Facebook application.
Click each item to see more details in the description pane.
Select the items to add to the rule.

Note - Applications are matched by default on their Recommended services. You can change this (see Configuring Matching for an Allowed Application). Each service runs on a specific port. The recommended Web Browsing Services are http, https, HTTP_proxy, and HTTPS_proxy.

Action - Select Accept
Track - Select Log
Install On - Keep it as Policy Targets for or all Security Gateways, or choose specific Security Gateways, on which to install the rule

The rule allows all Facebook traffic but logs it. You can see the logs in the Logs & Monitor view, in the Logs tab. To monitor how people use Facebook in your organization, see the Access Control view (SmartEvent Server required).

Blocking Applications and Informing Users

Scenario: I want to block pornographic sites in my organization, and tell the user about the violation. How can I do this?

To block an application or category of applications and tell the user about the policy violation:

In the Security Policies view of SmartConsole, go to the Access Control Policy.
Choose a Layer with Applications and URL Filtering enabled.

Create a rule that includes these components:

Services & Applications - Select the Pornography category.
Action - Drop, and a UserCheck Blocked Message - Access Control

The message informs users that their actions are against company policy and can include a link to report if the website is included in an incorrect category.

Track - Log

Note - This Rule Base example contains only those columns that are applicable to this subject.

Name	Source	Destination	Services & Applications	Action	Track	Install On
Block Porn	Any	Internet	Pornography (category)	Drop Blocked Message	Log	Policy Targets

The rule blocks traffic to pornographic sites and logs attempts to access those sites. Users who violate the rule receive a UserCheck message that informs them that the application is blocked according to company security policy. The message can include a link to report if the website is included in an incorrect category.

Important - A rule that blocks traffic, with the Source and Destination parameters defined as Any, also blocks traffic to and from the Captive Portal.

Limiting Application Traffic

Scenario: I want to limit my employees' access to streaming media so that it does not impede business tasks.

If you do not want to block an application or category, there are different ways to set limits for employee access:

Add a Limit object to a rule to limit the bandwidth that is permitted for the rule.
Add one or more Time objects to a rule to make it active only during specified times.

The example rule below:

Allows access to streaming media during non-peak business hours only.
Limits the upload throughput for streaming media in the company to 1 Gbps.

To create a rule that allows streaming media with time and bandwidth limits:

In the Security Policies view of SmartConsole, go to the Access Control Policy.
Choose a Layer with Applications and URL Filtering enabled.
Click one of the Add Rule toolbar buttons to add the rule in the position that you choose in the Rule Base.

Create a rule that includes these components:

Services & Applications - Media Streams category.

Note - Applications are matched on their Recommended services, where each service runs on a specific port, such as the default Application Control Web browsing Services: http, https, HTTP_proxy, and HTTPS_proxy. To change this, see Services & Applications Column.

Action - Click More and select Action: Accept, and a Limit object.

Time - Add a Time object that specifies the hours or time period in which the rule is active.

Note - The Time column is not shown by default in the Rule Base table. To see it, right-click on the table header and select Time.

Name	Source	Destination	Services and Applications	Action	Track	Install On	Time
Limit Streaming Media	Any	Internet	Media Streams (Category)	Accept Upload_1Gbps	Log	All	Off-Work

Important:

In ClusterXL Load Sharing modes, the specified bandwidth limit is divided between all configured Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members, regardless of the cluster state. For example, if a maximum limit requirement is 30 Gbps, and there are three Cluster Members, you must configure the Limit object in the rule to 30 Gbps / 3 = 10 Gbps.
In a Scalable PlatformSecurity Group, the specified bandwidth limit is divided between all Security Group Members, regardless of their state. For example, if a maximum limit requirement is 30 Gbps, and there are three Security Group Members, you must configure the Limit object in the rule to 30 Gbps / 3 = 10 Gbps.

Using Identity Awareness Features in Rules

Scenario: I want to allow a Remote Access application for a specified group of users and block the same application for other users. I also want to block other Remote Access applications for everyone. How can I do this?

If you enable Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., you can use it together with Application Control to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object.

In this example:

You have already created an Access Role Identified_Users that represents all identified users in the organization. You can use this to allow access to applications only for users who are identified on the Security Gateway.
You want to allow access to the Radmin Remote Access tool for all identified users.
You want to block all other Remote Access tools for everyone within your organization. You also want to block any other application that can establish remote connections or remote control.

To do this, add two new rules to the Rule Base:

Create a rule and include these components:
- Source - The Identified_Users access role
- Destination -Internet
- Services & Applications - Radmin
- Action -Accept

Create another rule below and include these components:

Source - Any
Destination - Internet
Services & Applications - The category: Remote Administration

Action - Block

Name	Source	Destination	Services & Applications	Action	Track	Install On
Allow Radmin to Identified Users	Identified_Users	Internet	Radmin	Allow	Log	All
Block other Remote Admins	Any	Internet	Remote Administration	Block	Log	All

Notes on these rules::

Because the rule that allows Radmin is above the rule that blocks other Remote Administration tools, it is matched first.
The Source of the first rule is the Identified_Users access role. If you use an access role that represents the Technical Support department, then only users from the technical support department are allowed to use Radmin.
Applications are matched on their Recommended services, where each service runs on a specific port, such as the default Application Control Web browsing services: http, https, HTTP_proxy, and HTTPS_proxy. To change this see Changing Services for Applications and Categories.

For more about Access Roles and Identity Awareness, see the R81.20 Identity Awareness Administration Guide.

Blocking Sites

Scenario: I want to block sites that are associated with categories that can cause liability issues. Most of these categories exist in the Application Database but there is also a custom defined site that must be included. How can I do this?

You can do this by creating a custom group and adding all applicable categories and the site to it. If you enable Identity Awareness on a Security Gateway, you can use it together with URL Filtering to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object.

In this example:

You have already created
- An Access Role that represents all identified users in the organization (Identified_Users).
- A custom application for a site named FreeMovies.
You want to block sites that can cause liability issues for everyone within your organization.
You will create a custom group that includes Application Database categories as well as the previously defined custom site named FreeMovies.

In the Rule Base, add a rule similar to this

In the Security Policies view of SmartConsole, go to the Access Control Policy.

Source - The Identified_Users access role
Destination - Internet
Services & Applications - Liability_Sites

Action - Drop

Note - Applications are matched on their Recommended services, where each service runs on a specific port, such as the default Application Control Web Browsing Services: http, https, HTTP_proxy, and HTTPS_proxy. To change this see Changing Services for Applications and Categories.

Name	Source	Destination	Services & Applications	Action	Track
Block sites that may cause a liability	Identified_Users	Internet	Liability_Sites	Drop	Log

Blocking URL Categories

Scenario: I want to block pornographic sites. How can I do this?

You can do this by creating a rule that blocks all sites with pornographic material with the Pornography category. If you enable Identity Awareness on a Security Gateway, you can use it together with URL Filtering to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object.

In this example:

You have already created an Access Role (Identified_Users) that represents all identified users in the organization.
You want to block sites related to pornography.

The procedure is similar to Blocking Applications and Informing Users.

Using Dynamic URL Lists for Application Control and URL Filtering

Starting from R81.20 Jumbo Hotfix Accumulator Take 115, you can create a Dynamic URL List for Application Control and URL Filtering. The Dynamic URL List allows automatic update of the URL list based on a feed file, without requiring a policy installation for each URL change. Policy installation is only needed when modifying the configuration of the URL list itself (such as adding a new Dynamic URL List object or changing feed location). This feature provides greater flexibility and efficiency when managing allow lists and block lists.

To configure a Dynamic URL List

Create a file with the list of URLs

Prepare a plain-text file containing the required URLs (for example, with the name urls.txt).

Notes:

Enter each URL entry on a new line.

You can configure URLs using Regular Expressions:

Example: To match example.com and its sub-domains (such as support.example.com, you can configure the URL in one of these ways:

\/example\.com

\.example\.com

\/example\.com|\.example\.com

For more examples on defining URLs as Regular Expressions, see sk165094.

Lines beginning with the # character are considered comments and are ignored.

Optional: Create a version file

Create a plain-text file named version in the same directory as the urls.txt file.

The file must contain a timestamp of the last update of the urls.txt file. The timestamp must be in Unix Epoch format

Create the dynamic configuration file for the URLs

Create a plain-text file named dynamic_urls_lists.C (this name is mandatory and case-sensitive) in the format of the example below.

This example contains two URLs and uses HTTP authentication in the Urls2 list:

:dynamic_urls_lists (

: (

:name (Urls1) # Must be the same as the name of the Custom Application/Site object in SmartConsole

:path (https://172.16.4.191/urls) # Must be the same as configured in the file "urls.txt" and in the Custom Application/Site object

:regex (false)

: (

:name (Urls2) # Must match the name of the Custom Application/Site object in SmartConsole

:path (http://example.com/content) # Must be the same as configured in the file "urls.txt" and in the Custom Application/Site object

:username (user123)

:password (7f737d777d1c) # Obfuscated password

:regex (true)

:update_interval (300) # Update interval in seconds

Notes:

Strings that appear after the # character are considered comments and are ignored.
In the name field, enter the application name. This name must match the name of the Custom Application/Site object you created in SmartConsole.

In the field :path, enter the applicable URL exactly as you configured it in the urls.txt file .

To specify the URL using a Regular Expression:

In the file urls.txt, enter the URL using a Regular Expression
In the path field, enter the URL using a Regular Expression
In the regex field, configure the value true.

Example:

To match example.com and its sub-domains (such as support.example.com), configure the URL in one of these ways:

\/example\.com

\.example\.com

\/example\.com|\.example\.com

For more examples on defining URLs as Regular Expressions, see sk165094.

If HTTP authentication is required (RFC 7617):

In the :username field, enter the username.

In the :password field, enter the password.

Important - Obfuscate the password using this Expert mode command:

obfuscate_password <Password String>

If authentication is used, it is relevant for both the urls.txt and version files.

In SmartConsole, create a Custom Application/Site object for each URL list
1. In SmartConsole, go to the Object Explorer, click New > More > Custom Application/Site > Application/Site.
  
  The New Application/Site window opens:
2. Enter the list name.
3. In General > General > Primary Category, select Custom_Application Site.
4. In General > Match By > URL List, click the + sign.
5. Enter the path to the list. In this example: https://172.16.4.191/urls
6. If relevant, select URLs are defined as Regular Expressions.
7. Click OK.
8. Repeat these steps for each URL list.

Deploy the configuration to the Security Gateway:

Copy the dynamic_urls_lists.C file to the Security Gateway / each Cluster Member Security Gateway that is part of a cluster. / Scalable Platform Security Group to this directory:

$FWDIR/appi/update/

Important - In the VSNext / VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode, you must copy the dynamic_urls_lists.C file to the $FWDIR/appi/update/ directory in the context of the specific Virtual Gateway / Virtual System:

Connect to the command line on the VSNext Security Group/ VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. / VSX Cluster.
Log in to the Expert mode.
Go to the context of the specific Virtual Gateway / Virtual System. Run:

vsenv <VSID>
Go to the directory. Run:

cd $FWDIR/appi/update/
Get the absolute path. Run:

pwd

On a Scalable Platform Security Group, copy the file to each Security Group Member. Run:

asg_cp2blades $FWDIR/appi/update/dynamic_urls_lists.C

Important - In the VSNext / VSX mode, you must copy the file $FWDIR/appi/update/dynamic_urls_lists.C to the context of the specific Virtual Gateway / Virtual System. Instead of the $FWDIR path, use the absolute path from step a.

In SmartConsole, install the Access Control policy on the Security Gateway / Security Cluster / Virtual Gateway / Virtual System object.

Make sure that the URL list is accessible from the Security Gateway.

Notes:

After each change in the dynamic_urls_lists.C file, you must install the Access Control policy.

Changes in the file with URLs (urls.txt) do not require policy installation.
If an invalid URL format is detected or if the URL list cannot be downloaded, the Security Gateway generates a log, and the URLs are not updated
There is no validation in SmartConsole.

To manually force an update, delete these files on the Security Gateway / Cluster Member / Security Group:

$FWDIR/appi/update/URL_List_Version

$FWDIR/appi/update/URL_List_next_update

Important - In the VSNext / VSX mode, you must delete these files to the context of the specific Virtual Gateway / Virtual System.

To check the update status, examine this file:

$FWDIR/appi/update/URL_List_status.C

Important - In the VSNext/ VSX mode, examine this file in the context of the specific Virtual Gateway/ Virtual System.