The Columns of the Access Control Rule Base
These are the columns of the rules in the Access Control policy. Not all of these are shown by default. To select a column that does not show, right-click on the header of the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase., and select it.
Column |
Description |
---|---|
No |
Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. number in the Rule Base Layer. |
Hits |
Number of times that connections match a rule. |
Name |
Name that the system administrator gives this rule. |
Source Destination |
Network objects that define:
|
VPN |
The VPN Community to which the rule applies. See VPN Column. |
Services & Applications |
Services, Applications, Categories, and Sites. |
Content |
The data asset to protect, for example, credit card numbers or medical records. You can set the direction of the data to Download Traffic (into the organization), Upload Traffic (out of the organization), or Any Direction. See Content Column. |
Action |
Action that is done when traffic matches the rule. Options include: Accept, Drop, Ask, Inform (UserCheck message), , and Reject. See Actions. |
Track |
Tracking and logging action that is done when traffic matches the rule. See Tracking Column. |
Install On |
Network objects that will get the rule(s) of the policy. |
Time |
Time period that this rule is enforced. |
Comment |
An optional field that lets you summarize the rule. |
Source and Destination Column
In the Source and Destination columns of the Access Control Policy Rule Base, you can add Network objects including groups of all types.
Here are some of the Network objects you can include:
-
Network (see Networks and Network Groups)
-
Host
-
Zones (see Security Zones)
-
Dynamic Objects (see Dynamic Objects)
-
Domain Objects (see Domains)
-
Access Roles
-
Updatable Objects (see Updatable Objects)
To Learn More About Network Objects
You can add network objects to the Source and Destination columns of the Access Control Policy. See Managing Objects.
VPN Column
You can configure rules for Site-to-Site VPN, Remote Access VPN, and the Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Portal and clients.
To make a rule for a VPN Community, add a Site-to-Site Community or a Remote Access VPN Community object to this column, or select Any to make the rule apply to all VPN Communities.
When you enable Mobile Access on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., the Security Gateway is automatically added to the RemoteAccess VPN Community. Include that Community in the VPN column of the rule or use Any to make the rule apply to Mobile Access Security Gateways. If the Security Gateway was removed from the VPN Community, the VPN column must contain Any.
IPsec VPN
The IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. solution lets the Security Gateway encrypt and decrypt traffic to and from other Security Gateways and clients. Use SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. SmartConsole to easily configure VPN connections between Security Gateways and remote devices.
For Site-to-Site Communities, you can configure Star and Mesh topologies for VPN networks, and include third-party gateways.
The VPN tunnel guarantees:
-
Authenticity - Uses standard authentication methods
-
Privacy - All VPN data is encrypted
-
Integrity - Uses industry-standard integrity assurance methods
IKE and IPsec
The Check Point VPN solution uses these secure VPN protocols to manage encryption keys, and send encrypted packets. IKE (Internet Key Exchange) is a standard key management protocol that is used to create the VPN tunnels. IPsec is protocol that supports secure IP communications that are authenticated and encrypted on private or public networks.
Mobile Access to the Network
Check Point Mobile Access lets remote users easily and securely use the Internet to connect to internal networks. Remote users start a standard HTTPS request to the Mobile Access Security Gateway, and authenticate with one or more secure authentication methods.
The Mobile Access Portal lets mobile and remote workers connect easily and securely to critical resources over the internet. Check Point Mobile Apps enable secure encrypted communication from unmanaged smartphones and tablets to your corporate resources. Access can include internal apps, email, calendar, and contacts.
To include access to Mobile Access applications in the Rule Base, include the Mobile Application in the Services & Applications column.
To give access to resources through specified remote access clients, create Access Roles for the clients and include them in the Source column of a rule.
To Learn More About VPN
To learn more about Site-to-Site VPN and Remote Access VPN, see these guides:
Services & Applications Column
In the Services & Applications column of the Access Control Rule Base, define the applications, sites, and services that are included in the rule. A rule can contain one or more:
-
Services
-
Applications
-
Mobile Applications for Mobile Access
-
Web sites
-
Default categories of Internet traffic
-
Custom groups or categories that you create, that are not included in the Check Point Application Database.
Service Matching
The Security Gateway identifies (matches) a service according to IP protocol, TCP and UDP port number, and protocol signature.
To make it possible for the Security Gateway to match services by protocol signature, you must enable Application & URL Filtering on the Security Gateway and on the Ordered Layer (see Enabling Access Control Features ).
You can configure TCP and UDP services to be matched by source port.
Application Matching
If an application is allowed in the policy, the rule is matched only on the Recommended services of the application. This default setting is more secure than allowing the application on all services. For example: a rule that allows Facebook, allows it only on the Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. Web Browsing Services: http
, https
, HTTP_proxy
, and HTTPS_proxy
.
If an application is blocked in the policy, it is blocked on all services. It is therefore blocked on all ports.
You can change the default match settings for applications.
You can configure how a rule matches an application or category that is allowed in the policy. You can configure the rule to match the application in one of these ways:
-
On any service
-
On a specified service
To do this, change the Match Settings of the application or category. The application or category is changed everywhere that it is used in the policy.
To change the matched services for an allowed application or category:
-
In a rule which has applications or categories in the Services & Applications column, double-click an application or category.
-
Select Match Settings.
-
Select an option:
-
The default is Recommended services. The defaults for Web services are the Application Control Web Browsing Services.
-
To match the application with all services, click Any.
-
To match the application on specified services, click Customize, and add or remove services.
-
To match the application with all services and exclude specified services, click Customize, add the services to exclude, and select Negate.
-
-
Click OK.
By default, if an application is blocked in the policy, it is blocked on all services. It is therefore blocked on all ports.
You can configure the matching for blocked applications so that they are matched on the recommended services. For Web applications, the recommended services are the Application Control Web browsing services.
If the match settings of the application are configured to Customize, the blocked application is matched on the customized services service. It is not matched on all ports.
To configure matching for blocked applications:
-
In SmartConsole, go to Manage & Settings > Blades > Application & URL Filtering > Advanced Settings > Application Port Match
-
Configure Match application on 'Any' port when used in 'Block' rule:
-
Selected - This is the default. If an application is blocked in the Rule Base, the application is matched to Any port.
-
Not selected - If an application is blocked in the Rule Base, the application is matched to the services that are configured in the application object of the application. However, some applications are still matched on Any. These are applications (Skype, for example) that do not limit themselves to a standard set of services.
-
Summary of Application Matching in a "Block" Rule
You can add services, applications and sites to a rule.
Note - Rules with applications or categories do not apply to connections from or to the Security Gateway.
To add services, applications or sites to a rule:
-
In the Security Policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. view of SmartConsole, go to the Access Control Policy.
-
To add applications to a rule, select a Layer with Applications and URL Filtering enabled.
-
Right-click the Services & Applications cell for the rule and select Add New Items.
-
Search for the services, sites, applications, or categories.
-
Click the + next to the ones you want to add.
You can create custom applications, categories or groups, which are not included in the Check Point Application Database.
To create a new application or site:
-
In the Security Policies view of SmartConsole, go to the Access Control Policy.
-
Select a Layer with Applications and URL Filtering enabled.
-
Right-click the Services & Applications cell for the rule and select Add New Items.
The Application viewer window opens.
-
Click New > Custom Applications/Site > Application/Site.
-
Enter a name for the object.
-
Enter one or more URLs.
If you used a regular expression in the URL, click URLs are defined as Regular Expressions.
Note - If the application or site URL is defined as a regular expression you must use the correct syntax. See sk165094.
-
Click OK.
-
In the Security Policies view of SmartConsole, go to the Access Control Policy.
-
Select a Layer with Applications and URL Filtering enabled.
-
Right-click the Services & Applications cell for the rule and select Add New Items.
The Application viewer window opens.
-
Click New > Custom Applications/Site > User Category.
-
Enter a name for the object.
-
Enter a description for the object.
-
Click OK.
Services and Applications on R77.30 and Lower Security Gateways, and after Upgrade
For Security Gateways R77.30 and lower:
-
The Security Gateway matches TCP and UDP services by port number. The Security Gateway cannot match services by protocol signature.
-
The Security Gateway matches applications by the application signature.
When you upgrade the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. to R80 and higher and the Security Gateways to R80.10 and higher, this change of behavior occurs:
-
Applications that were defined in the Application & URL Filtering Rule Base are accepted on their recommended ports
Content Column
You can add Data Types to the Content column of rules in the Access Control Policy.
To use the Content column, you must enable Content Awareness, in the General Properties page of the Security Gateway, and on the Layer.
A Data Type Classification of data in a Check Point Security Policy for the Content Awareness Software Blade. is a classification of data. The Security Gateway classifies incoming and outgoing traffic according to Data Types, and enforces the Policy accordingly.
You can set the direction of the data in the Policy to Download Traffic (into the organization), Upload Traffic (out of the organization), or Any Direction.
There are two kinds of Data Types: Content Types (classified by analyzing the file content) and File Types (classified by analyzing the file ID).
Content Type examples:
-
PCI - credit card numbers
-
HIPAA - Medical Records Number - MRN
-
International Bank Account Numbers - IBAN
-
Source Code - JAVA
-
U.S. Social Security Numbers - According to SSA
-
Salary Survey Terms
File type examples:
-
Viewer File - PDF
-
Executable file
-
Database file
-
Document file
-
Presentation file
-
Spreadsheet file
|
Notes:
|
|
Limitations:
|
To learn more about the Data Types, open the Data Type object in SmartConsole and press the ? button (or F1 key) to see the Help.
To learn more about DLP, see the R81.20 Data Loss Prevention Administration Guide.
Actions
Action |
Meaning |
||
---|---|---|---|
Accept |
Accepts the traffic |
||
Drop |
Drops the traffic. The Security Gateway does not send a response to the originating end of the connection and the connection eventually does a time-out. If no UserCheck object is defined for this action, no page is displayed. |
||
Ask |
Asks the user a question and adds a confirmatory check box, or a reason box. Uses a UserCheck object. |
||
Inform |
Sends a message to the user attempting to access the application or the content. Uses a UserCheck object. |
||
To see these actions, right-click and select More: |
|||
Reject |
Rejects the traffic. The Security Gateway sends an RST packet to the originating end of the connection and the connection is closed. |
||
UserCheck Frequency |
Configure how often the user sees the configured message when the action is ask, inform, or block. |
||
Confirm UserCheck |
Select the action that triggers a UserCheck message:
|
||
Limit |
Limits the bandwidth that is permitted for a rule. Add a Limit object to configure a maximum throughput for uploads and downloads.
|
||
Enable Identity Captive Portal |
Redirects HTTP traffic to an authentication (captive) portal. After the user is authenticated, new connections from this source are inspected without requiring authentication.
|
Tracking Column
These are some of the Tracking options:
-
None - Do not generate a log.
-
Log -This is the default Track option. It shows all the information that the Security Gateway used to match the connection.
-
Accounting - Select this to update the log at 10 minute intervals, to show how much data has passed in the connection: Upload bytes, Download bytes, and browse time.
To Learn More About Tracking
To learn more about Tracking options, see the R81.20 Logging and Monitoring Administration Guide.