The Columns of the Access Control Rule Base

These are the columns of the rules in the Access Control policy. Not all of these are shown by default. To select a column that does not show, right-click on the header of the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase., and select it.

Column	Description
No	Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. number in the Rule Base Layer.
Hits	Number of times that connections match a rule. See Analyzing the Rule Base Hit Count.
Name	Name that the system administrator gives this rule.
Source Destination	Network objects that define: Where the traffic starts The destination of the traffic See Source and Destination Column.
VPN	The VPN Community to which the rule applies. See VPN Column.
Services & Applications	Services, Applications, Categories, and Sites. If Application & URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. is not enabled, only Services show. See Services & Applications Column.
Content	The data asset to protect, for example, credit card numbers or medical records. You can set the direction of the data to Download Traffic (into the organization), Upload Traffic (out of the organization), or Any Direction. See Content Column.
Action	Action that is done when traffic matches the rule. Options include: Accept, Drop, Ask, Inform (UserCheck message), Inline Layer Set of rules used in another rule in Security Policy., and Reject. See Actions.
Track	Tracking and logging action that is done when traffic matches the rule. See Tracking Column.
Install On	Network objects that will get the rule(s) of the policy. See Installing the Access Control Policy.
Time	Time period that this rule is enforced.
Comment	An optional field that lets you summarize the rule.

Source and Destination Column

In the Source and Destination columns of the Access Control Policy Rule Base, you can add Network objects including groups of all types.

Here are some of the Network objects you can include:

Network (see Networks and Network Groups)
Host
Zones (see Security Zones)
Dynamic Objects (see Dynamic Objects)
Domain Objects (see Domains)
Access Roles
Updatable Objects (see Updatable Objects)

To Learn More About Network Objects

You can add network objects to the Source and Destination columns of the Access Control Policy. See Managing Objects.

VPN Column

You can configure rules for Site-to-Site VPN, Remote Access VPN, and the Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Portal and clients.

To make a rule for a VPN Community, add a Site-to-Site Community or a Remote Access VPN Community object to this column, or select Any to make the rule apply to all VPN Communities.

When you enable Mobile Access on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., the Security Gateway is automatically added to the RemoteAccess VPN Community. Include that Community in the VPN column of the rule or use Any to make the rule apply to Mobile Access Security Gateways. If the Security Gateway was removed from the VPN Community, the VPN column must contain Any.

IPsec VPN

The IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. solution lets the Security Gateway encrypt and decrypt traffic to and from other Security Gateways and clients. Use SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to easily configure VPN connections between Security Gateways and remote devices.

For Site-to-Site Communities, you can configure Star and Mesh topologies for VPN networks, and include third-party gateways.

The VPN tunnel guarantees:

Authenticity - Uses standard authentication methods
Privacy - All VPN data is encrypted
Integrity - Uses industry-standard integrity assurance methods

IKE and IPsec

The Check Point VPN solution uses these secure VPN protocols to manage encryption keys, and send encrypted packets. IKE (Internet Key Exchange) is a standard key management protocol that is used to create the VPN tunnels. IPsec is protocol that supports secure IP communications that are authenticated and encrypted on private or public networks.

Mobile Access to the Network

Check Point Mobile Access lets remote users easily and securely use the Internet to connect to internal networks. Remote users start a standard HTTPS request to the Mobile Access Security Gateway, and authenticate with one or more secure authentication methods.

The Mobile Access Portal lets mobile and remote workers connect easily and securely to critical resources over the internet. Check Point Mobile Apps enable secure encrypted communication from unmanaged smartphones and tablets to your corporate resources. Access can include internal apps, email, calendar, and contacts.

To include access to Mobile Access applications in the Rule Base, include the Mobile Application in the Services & Applications column.

To give access to resources through specified remote access clients, create Access Roles for the clients and include them in the Source column of a rule.

To Learn More About VPN

To learn more about Site-to-Site VPN and Remote Access VPN, see these guides:

Services & Applications Column

In the Services & Applications column of the Access Control Rule Base, define the applications, sites, and services that are included in the rule. A rule can contain one or more:

Services
Applications
Mobile Applications for Mobile Access
Web sites
Default categories of Internet traffic
Custom groups or categories that you create, that are not included in the Check Point Application Database.

Service Matching

The Security Gateway identifies (matches) a service according to IP protocol, TCP and UDP port number, and protocol signature.

To make it possible for the Security Gateway to match services by protocol signature, you must enable Application & URL Filtering on the Security Gateway and on the Ordered Layer (see Enabling Access Control Features ).

You can configure TCP and UDP services to be matched by source port.

Application Matching

If an application is allowed in the policy, the rule is matched only on the Recommended services of the application. This default setting is more secure than allowing the application on all services. For example: a rule that allows Facebook, allows it only on the Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. Web Browsing Services: http, https, HTTP_proxy, and HTTPS_proxy.

If an application is blocked in the policy, it is blocked on all services. It is therefore blocked on all ports.

You can change the default match settings for applications.

Configuring Matching for an Allowed Application

You can configure how a rule matches an application or category that is allowed in the policy. You can configure the rule to match the application in one of these ways:

On any service
On a specified service

To do this, change the Match Settings of the application or category. The application or category is changed everywhere that it is used in the policy.

To change the matched services for an allowed application or category:

In a rule which has applications or categories in the Services & Applications column, double-click an application or category.
Select Match Settings.
Select an option:
- The default is Recommended services. The defaults for Web services are the Application Control Web Browsing Services.
- To match the application with all services, click Any.
- To match the application on specified services, click Customize, and add or remove services.
- To match the application with all services and exclude specified services, click Customize, add the services to exclude, and select Negate.
Click OK.

Configuring Matching for Blocked Applications

By default, if an application is blocked in the policy, it is blocked on all services. It is therefore blocked on all ports.

You can configure the matching for blocked applications so that they are matched on the recommended services. For Web applications, the recommended services are the Application Control Web browsing services.

If the match settings of the application are configured to Customize, the blocked application is matched on the customized services service. It is not matched on all ports.

To configure matching for blocked applications:

In SmartConsole, go to Manage & Settings > Blades > Application & URL Filtering > Advanced Settings > Application Port Match
Configure Match application on 'Any' port when used in 'Block' rule:
- Selected - This is the default. If an application is blocked in the Rule Base, the application is matched to Any port.
- Not selected - If an application is blocked in the Rule Base, the application is matched to the services that are configured in the application object of the application. However, some applications are still matched on Any. These are applications (Skype, for example) that do not limit themselves to a standard set of services.

Summary of Application Matching in a "Block" Rule

Application - Match Setting	Checkbox: Match web application on 'Any' port when used in 'Block' rule	Blocked Application is Matched on Service
Recommended services (default)	Selected (default)	Any
Recommended services (default)	Not selected	Recommended services
Customize	Not relevant	Customized
Any	Not relevant	Any

Creating Custom Applications, Categories, and Groups

You can create custom applications, categories or groups, which are not included in the Check Point Application Database.

To create a new application or site:

In the Security Policies view of SmartConsole, go to the Access Control Policy.
Select a Layer with Applications and URL Filtering enabled.
Right-click the Services & Applications cell for the rule and select Add New Items.

The Application viewer window opens.
Click New > Custom Applications/Site > Application/Site.
Enter a name for the object.

Enter one or more URLs.

If you used a regular expression in the URL, click URLs are defined as Regular Expressions.

Note - If the application or site URL is defined as a regular expression you must use the correct syntax. See sk165094.

Click OK.

Services and Applications on R77.30 and Lower Security Gateways, and after Upgrade

For Security Gateways R77.30 and lower:

The Security Gateway matches TCP and UDP services by port number. The Security Gateway cannot match services by protocol signature.
The Security Gateway matches applications by the application signature.

When you upgrade the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. to R80 and higher and the Security Gateways to R80.10 and higher, this change of behavior occurs:

Applications that were defined in the Application & URL Filtering Rule Base are accepted on their recommended ports

Content Column

You can add Data Types to the Content column of rules in the Access Control Policy.

To use the Content column, you must enable Content Awareness, in the General Properties page of the Security Gateway, and on the Layer.

A Data Type Classification of data in a Check Point Security Policy for the Content Awareness Software Blade. is a classification of data. The Security Gateway classifies incoming and outgoing traffic according to Data Types, and enforces the Policy accordingly.

You can set the direction of the data in the Policy to Download Traffic (into the organization), Upload Traffic (out of the organization), or Any Direction.

There are two kinds of Data Types: Content Types (classified by analyzing the file content) and File Types (classified by analyzing the file ID).

Content Type examples:

PCI - credit card numbers
HIPAA - Medical Records Number - MRN
International Bank Account Numbers - IBAN
Source Code - JAVA
U.S. Social Security Numbers - According to SSA
Salary Survey Terms

File type examples:

Viewer File - PDF
Executable file
Database file
Document file
Presentation file
Spreadsheet file

Notes:

The Content Awareness Check Point Software Blade on a Security Gateway that provides data visibility and enforcement. Acronym: CTNT. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. supports HTTP, HTTPS, SMTP, and FTP protocols on all ports. It is fully integrated with the Access Control unified Rule Base. Traffic over QUIC and WebSocket is not inspected . You can use 'Quic protocol' / 'WebSocket protocol' in a new Application rule to Drop or Allow this traffic.HTTP connections that are not RFC-compliant are not inspected.
The Content Awareness Software Blade does not match Binary Certificate *.cer files to the 'Certificates and Private Keys' Data Type.
Content Awareness and Data Loss Prevention Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. (DLP) both use Data Types. However, they have different features and capabilities. They work independently, and the Security Gateway enforces them separately.
If an inline layer has Archive File in the content column of the parent rule, and another value in the content column in one of the sub-rules (for example: Presentation File), then if the matched archive includes the other value (in this example: a presentation file), the rule is not matched. Use a regular rule for both content types.
If a content column of a rule includes the Compound Data Type Group or Traditional Data Type Group with an Archive File Data Type and another Data Type (for example: PCI - Credit Card Numbers), then if an archive file which contains a file with credit cards is uploaded or downloaded, the rule is not matched.
If a rule with Archive File in the content column is matched, and a lower rule in the Rule Base has a Data Type which is contained in the archive file, then the lower rule in the Rule Base is matched as well.

Limitations:

Content Awareness supports more than 60 character sets (charsets) for text files, including Japanese, Korean, Greek, and Arabic. If the inspected traffic does not include a supported charset, Content Awareness uses UTF-8 for decoding. To see the list of supported charsets, and to learn how to change the default charset, see sk116155.
Content Awareness supports Data Types based on file name. For specific HTTP traffic where the file name is not part of the URL or content-disposition header, the file name may be incorrect.

To learn more about the Data Types, open the Data Type object in SmartConsole and press the ? button (or F1 key) to see the Help.

To learn more about DLP, see the R82 Data Loss Prevention Administration Guide.

Actions

Action

Meaning

Accepts the traffic

Drop

Drops the traffic. The Security Gateway does not send a response to the originating end of the connection and the connection eventually does a time-out. If no UserCheck object is defined for this action, no page is displayed.

Ask

Asks the user a question and adds a confirmatory check box, or a reason box. Uses a UserCheck object.

Inform

Sends a message to the user attempting to access the application or the content. Uses a UserCheck object.

To see these actions, right-click and select More:

Reject

Rejects the traffic. The Security Gateway sends an RST packet to the originating end of the connection and the connection is closed.

UserCheck Frequency

Configure how often the user sees the configured message when the action is ask, inform, or block.

Confirm UserCheck

Select the action that triggers a UserCheck message:

Per rule - UserCheck message shows only once when traffic matches a rule.
Per category - UserCheck message shows for each matching category in a rule.
Per application/Site - UserCheck message shows for each matching application/site in a rule.
Per Data type - UserCheck message shows for each matching data type.

Limit

Limits the bandwidth that is permitted for a rule.

Add a Limit object to configure a maximum throughput for uploads and downloads.

Important:

After policy installation, a bandwidth limit is not enforced on a connection that is matched to an Access Control rule with the Action "Limit" in one of these scenarios:

The 'Keep all connections' option is selected in the security object
The 'Keep connections open after the policy has been installed' option is selected in the Service object used in this rule

Enable Identity Captive Portal

Redirects HTTP traffic to an authentication (captive) portal. After the user is authenticated, new connections from this source are inspected without requiring authentication.

Important - A rule that drops traffic, with the Source and Destination parameters defined as Any, also drops traffic to and from the Captive Portal.

Tracking Column

These are some of the Tracking options:

None - Do not generate a log.
Log -This is the default Track option. It shows all the information that the Security Gateway used to match the connection.
Accounting - Select this to update the log at 10 minute intervals, to show how much data has passed in the connection: Upload bytes, Download bytes, and browse time.

To Learn More About Tracking

To learn more about Tracking options, see the R82 Logging and Monitoring Administration Guide.