Using the Reputation Service to Allow or Block Applications
The Check Point Reputation Service is an online service that gathers information about applications and classifies them as approved or not approved. The classifications are based on the recommendations of Check Point security experts and the hash value of the signed certificate of the application.
The Endpoint Security client uses the recommendation of the Reputation Service for the application, together with the permission setting for the application in the Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. policy, to decide whether to allow or block the application.
For example, if an application is configured in the Application Control Policy as Unidentified (Allow), and the Reputation Service recommendation for the application is Not Approved, the application is blocked. However, if the administrator explicitly configures the Application Control policy to Allow or Block the application, the policy setting overrides the recommendation of the Reputation Service.
The Endpoint Security client allows or blocks applications according to the following logic:
Reputation Service recommendation for the application |
Application Control Policy setting for the application |
Decision by the Endpoint Security Client |
---|---|---|
Approved |
|
Allow |
Approved |
|
Block |
Not Approved |
|
Block |
Not Approved |
|
Allow |
Pre-Requisites for Using the Reputation Service
-
The Endpoint Security Management Server
A Security Management Server that manages your Endpoint Security environment. Includes the Endpoint Security policy management and databases. It communicates with endpoint clients to update their components, policies, and protection data. must have Internet access (on ports 80 and 443) to connect to the Check Point Reputation Service Server. Make sure that this traffic is allowed.
-
We recommend that you add the Reputation Service Server to your Trusted Zone. See Changing the Access Zones Policy.
Using the Reputation Service with a Proxy
If your environment includes a proxy server for Internet access, do the configuration steps below to let the Endpoint Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. connect to the Check Point Reputation Service Server through the proxy server. Note that all configuration entries are case-sensitive.
If your organization uses a proxy server for HTTP and HTTPS traffic, you must configure the Endpoint Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. to work with the proxy server.
To configure use of a proxy server:
-
From the Endpoint Security Management Server command line, run:
cpstop.
-
Go to
$UEPMDIR/engine/conf
and open thelocal.properties
file in a text editor. -
Add a line for these properties:
-
The proxy server IP address:
http.proxy.host=<IP address>
-
The proxy server listening port (typically 8080):
http.proxy.port=<port>
-
If authentication is enabled on the proxy server, add these lines:
Do not add these lines if authentication is not required.
http.proxy.user=<username>
http.proxy.password=<password>
Make sure that you delete (or do not insert) the '#' character at the beginning of these lines. If you do not do this, all applications are blocked when trying to access the Internet.
-
-
Save
$UEPMDIR/engine/conf/local.properties
and then close the text editor. -
Run:
cpstart
.
Enabling the Reputation Service
In the Policy tab > Application Control rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., select the action: Enable Reputation Service.