Pre-R80.10 Gateways and the Unified Access Control Policy

When you upgrade an R77.30 or lower Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., which manages R77.30 or lower Security Gateways, to R80.10 or higher, the existing Access Control policies are converted in this way:

• The pre-R80.10 Firewall policy is converted into the Network Policy Layer of the R80 Access Control Policy. The implicit cleanup rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. for it is set to Drop all traffic that is not matched by any rule in this Layer.

• The pre-R80.10 Application & URL Filtering policy is converted into the Application Policy Layer Layer (set of rules) in a Security Policy., which is the second Layer of the R80.x Access Control Policy. The implicit cleanup rule for it is set to Accept all traffic that is not matched by any rule in this Layer.

Important - After upgrade, do not change the Action of the implicit cleanup rules, or the order of the Policy Layers. If you do, the policy installation will fail.

New Access Control Policy for pre-R80.10 Security Gateways on an R80.x Security Management Server must have this structure:

1. The first Policy Layer is the Network Layer (with the Firewall blade enabled on it).

2. The second Policy Layer is the Application & URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. Layer (with the Application & URL Filtering blade enabled on it).

3. There are no other Policy Layers.

If the Access Control Policy has a different structure, the policy will fail to install.

You can change the names of the Layers, for example, to make them more descriptive.

Each new Policy Layer will have the explicit default rule, added automatically and set to Drop all the traffic that does not match any rule in that Policy Layer. We recommend that the Action is set to Drop for the Network Policy Layer and Accept for the Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. Policy Layer.

If you remove the default rule, the Implicit Cleanup Rule will be enforced. The Implicit Cleanup Rule is configured in the Policy configuration window and is not visible in the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. table. Make sure the Implicit Cleanup Rule is configured to Drop the unmatched traffic for the Network Policy Layer and to Accept the unmatched traffic for the Application Control Policy Layer.