Rule Matching in the Access Control Policy

The Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. determines the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to apply to a connection. This is called matching a connection. Understanding how the Security Gateway matches connections will help you:

Get better performance from the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..
Understand the logs that show a matched connection.

Examples of Rule Matching

These example Rule Bases show how the Security Gateway matches connections.

Note that these Rule Bases intentionally do not follow the best practices for Access Control Rules (see Best Practices for Access Control Rules). This is to make the explanations of rule matching clearer.

Rule Base Matching - Example 1

For this Rule Base:

No	Source	Destination	Services & Applications	Content	Action
1	InternalZone	Internet	ftp-pasv	Download executable file	Drop
2	Any	Any	Any	Executable file	Accept
3	Any	Any	Gambling (Category)	Any	Drop
4	Any	Any	Any	Any	Accept

This is the matching procedure for an FTP connection:

Part of connection	Security Gateway action	Inspection result
SYN	Run the Rule Base: Look for the first rule that matches: Rule 1 - Match.	Final match (drop on rule 1). Shows in the log. The Security Gateway does not turn on the inspection engines for the other rules.

Part of connection

Security Gateway action

Inspection result

SYN

Run the Rule Base:

Look for the first rule that matches:

Rule 1 - Match.

Final match (drop on rule 1).

Shows in the log.

The Security Gateway does not turn on the inspection engines for the other rules.

Rule Base Matching - Example 2

For this Rule Base:

No.	Source	Destination	Services & Applications	Content	Action
1	InternalZone	Internet	Any	Download executable file	Drop
2	Any	Any	Gambling (category)	Any	Drop
3	Any	Any	ftp	Any	Drop
4	Any	Any	Any	Any	Accept

This is the matching procedure when browsing to a file sharing Web site. Follow the rows from top to bottom. Follow each row from left to right:

Part of connection	Security Gateway action	Inspection result
SYN	Run the Rule Base. Look for the first rule that matches: Rule 1 - Possible match. Rule 2 - Possible match. Rule 3 - No match. Rule 4 - Match.	Possible match (Continue to inspect the connection).
HTTP Header	The Security Gateway turns on inspection engines to examine the data in the connection. In this example turn on the: URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. engine - Is it a gambling site? Content Awareness Check Point Software Blade on a Security Gateway that provides data visibility and enforcement. Acronym: CTNT. engine - Is it an executable file?	Application: File sharing (category). Content: Don't know yet.
	Optimize the Rule Base matching. Look for the first rule that matches: Rule 1 - Possible match. Rule 2 - No match. Rule 3 - No match. Rule 4 - Match.	Possible match (Continue to inspect the connection).
HTTP Body	Examine the file.	Data: PDF file.
	Optimize the Rule Base matching. Look for the first rule that matches: Rule 1 - No match. Rule 2 - No match. Rule 3 - No match. Rule 4 - Match.	Final match (accept on rule 4). Shows in the log.

Rule Base Matching - Example 3

For this Rule Base:

No.	Source	Destination	Services & Applications	Content	Action
1	InternalZone	Internet	Any	Download executable file	Drop
2	Any	Any	Gambling (Category)	Any	Drop
3	Any	Any	Any	Any	Accept

This is the matching procedure when downloading an executable file from a business Web site. Follow the rows from top to bottom. Follow each row from left to right:

Part of connection	Security Gateway action	Inspection result
SYN	Run the Rule Base. Look for the first rule that matches: Rule 1 - Possible match. Rule 2 - Possible match. Rule 3 - Match.	Possible match (Continue to inspect the connection).
HTTP Header	The Security Gateway turns on inspection engines to examine the content in the connection. In this example turn on the: URL Filtering engine - Is it a gambling site? Content Awareness engine - Is it an executable file?	Application: Business (Category). Content: Don't know yet.
	Optimize the Rule Base matching. Look for the first rule that matches: Rule 1 - Possible match. Rule 2 - No match. Rule 3 - Match.	Possible match (Continue to inspect the connection).
HTTP Body	Examine the file.	Content: Executable file.
	Optimize the Rule Base matching. Look for the first rule that matches: Rule 1 - Match. Rule 2 - No match. Rule 3 - Match.	Final match (drop on rule 1). Shows in the log.

The matching examples show that:

The Security Gateway sometimes runs the Rule Base more than one time. Each time it runs, the Security Gateway optimizes the matching, to find the first rule that applies to the connection.
If the rule includes an application, or a site, or a service with a protocol signature (in the Application and Services column), or a Data Type Classification of data in a Check Point Security Policy for the Content Awareness Software Blade. (in the Content column), the Security Gateway:
- Turns on one or more inspection engines.
- Postpones making the final match decision until it has inspected the body of the connection.
The Security Gateway searches for the first rule that applies to (matches) a connection. If the Security Gateway does not have all the information it needs to identify the matching rule, it continues to inspect the traffic.