Configuring the Firewall Access Policy and Blade

In the Access Policy > Firewall Blade Control page you can set the default Access Policy control level, set the default applications and URLs to block and allow secure browsing, and configure User Awareness.

The Access Policy is a set of rules that defines the security requirements for your appliance for incoming, internal, and outgoing traffic.

The Access Policy includes:

  • Firewall Policy - Defines how to inspect packets.

  • Applications & URL Filtering - Defines how to control Internet browsing and application usage.

The Access Policy > Firewall Blade Control page lets you easily define the default policy for your organization. In addition, you can define and view the rule based policy in the Access Policy > Firewall Policy page. Configurations in the Firewall Blade Control page are shown as automatically generated system rules at the bottom of the Rule Base. We recommend you use the Access Policy > Firewall Policy page to define manual rules that are exceptions to the default policy defined in this page.

The Access Policy > Firewall Blade Control page defines the default policy for incoming, internal, and outgoing traffic to and from your organization. In addition, the Access Policy > Firewall Servers page lets you easily define the default access policy for specific servers within your organization and automatically generated system rules are also defined.

Firewall Policy

Select one of these options to set the default Access Policy:

  • Strict

    Blocks all traffic, in all directions, by default. In this mode, your policy can only be defined through the Servers page and by manually defining access policy rules in the Access Policy > Firewall Policy page.

  • Standard

    • Allows outgoing traffic to the Internet on configured services. You can click the services link to configure all or only specified services that are allowed.

    • Allows traffic between internal networks and trusted wireless networks (in applicable devices).

    • Blocks incoming unencrypted traffic from the Internet (traffic from outside your organization to it).

      The Standard policy option is the default level and is recommended for most cases. Keep it unless you have a specified need for a higher or lower security level.

  • Off

    Allows all traffic. When the firewall is deactivated, your network is not secured. Manually defined rules are not applied.

Note - When the blade is managed by Cloud Services, a lock icon shows. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally are overridden in the next synchronization between the gateway and Cloud Services.

To set specified outgoing services in a standard Firewall policy:

  1. When the Access Policy control level is set to Standard, click allservices.

  2. Select Block all outgoing services except the following.

  3. Select which services to allow.

  4. To allow all services, select Allow all outgoing services.

  5. Click Apply.

To manually configure Access Policy rules:

Go to the Access Policy > Policy page.

In the Access Policy > Blade Control page:

  • When no manual rules are configured, you can click the Firewall Policy link to add manual rules to the Firewall policy.
  • When manual rules are configured, it shows the number of rules that are added. Click manual rules to see them in the Access Policy.

Click Servers to see how many servers are defined in the appliance. If no servers are configured, click Add aserver to add one. A server object is a defined IP address to which you can also define a specific access policy and also incoming NAT rules if necessary. For example, Port forwarding NAT. Automatically generated access rules to servers are created above the default policy rules and can be seen in the Access Policy > Firewall Policy page. You can create exception rules for servers as well in the Access Policy > Firewall Policy page.

Applications & URL Filtering

The Applications & URL Filtering section lets you define how to handle applications and URL categories on traffic from your organization to the Internet.

Applications and URL Filtering are service based features and require Internet connectivity to download the latest signature package for new applications and to contact the Check Point cloud for URL categorization. This page lets you define the default policy for Applications & URL Filtering control. It is recommended by default to block browsing to security risk categories and applications. You can also configure additional applications and categories to block by default according to your company's policy. In addition, you can also select to limit bandwidth consuming applications for better bandwidth control.

In addition to the On and Off buttons, you can select the URL Filtering Only mode. When you select this option, only URLs and custom applications defined by URLs are blocked. Predefined applications initially installed on your computer or added with automatic updates are not blocked.

When you select the URL Filtering Only mode:

  • Rules that contain URLs are enforced. Any applications inside rules are not enforced.
  • Rules that contain custom URLs and custom applications are enforced.
  • Rules that contain application groups with both predefined applications and URLs are enforced only for the URLs and custom applications. They are not enforced for the predefined applications.
  • Applications are not updated through the automatic updates.

The default policy defined here is viewed as automatically generated rules in the bottom of the Outgoing traffic Rule Base in the Access Policy > Policy page.

Select one or more of these options:

  • Block security risk categories - Lets you block applications and URLs that can be a security risk and are categorized as spyware, phishing, botnet, spam, anonymizer, or hacking. This option is selected by default.
  • Block inappropriate content - Lets you control content by blocking Internet access to websites with inappropriate content such as sex, violence, weapons, gambling, and alcohol.
  • Block file sharing applications - Lets you block file-sharing from usually illegal sources using torrents and peer-to-peer applications. 
  • Block other undesired applications - Lets you manually add and block applications or categories of URLs to a group of undesired applications. You can also create a new URL or application if it is not in the database. Click this option to manage your basic Application & URL Filtering policy that sets what to block. For a more granular policy, go to the Access Policy > Firewall Blade Control page. 
  • Limit bandwidth consuming applications - Applications that use a lot of bandwidth can decrease performance necessary for important business applications. This option gives accelerated QoS (bandwidth control) for applications. When you select this option, P2P file sharing, media sharing, and media streams are selected by default but you can edit the group to add applications or categories that you think should have a limit with regards to the amount of bandwidth they consume. Note that it is very important to indicate the maximum bandwidth limit according to your Internet connection upload and download bandwidth. Consult your ISP for this information. For the limit to be effective, it has to be lower than the actual bandwidth supplied by your ISP. Upload and download bandwidths are usually not the same.

Updates

As a service based feature, this page also shows you the update status:

  • Up to date
  • Updated service unreachable - This usually results from a loss in Internet connectivity. You must check your Internet connection in the Device > Internet page and contact your ISP if the problem persists.
  • Not up to date - A new update package is ready to be downloaded but the scheduled hour for updates has not occurred yet. Updates are usually scheduled for off-peak hours (weekends or nights).

To schedule updates:

  1. Hover over the icon next to the update status and select the Schedule Updates link.

  2. Select the blades for which to schedule updates. You must manually update the rest of the blades when new updates packages are available and a not up to date message is shown in the status bar at the bottom of the WebUI application.

  3. Select a Recurrence time frame:

    • Hourly - Enter the time interval for Every x hours.

    • Daily - Select the Time of day.

    • Weekly - Select the Day of week and Time of day.

    • Monthly - Select the Day of month and Time of day.

  4. Click Apply.

User Awareness

User Awareness lets you configure the Check Point Appliance to enforce access control for individual users and groups and show user-based logs instead of IP address based logs.

Initially, click Configure to set up how User Awareness recognizes users. When this is configured, you can see users in logs and also configure user based Access Policy rules. User recognition can be done seamlessly by the appliance using your organization's AD server. The user database and authentication are all done through the AD server. When a user logs in to the AD server, the appliance is notified. Users from the AD server can be used as the Source in Access Policy rules.

Alternatively or in addition, users can be defined locally in the Users & Objects > Users page with a password. For the appliance to recognize the traffic of those users, you must configure Browser-Based Authentication and the specific destinations to which they must be identified first before accessing. Normally, Browser-Based Authentication is not used for all traffic, but rather for specific destinations because it requires manual login by the end user through a dedicated portal.

If User Awareness has been configured, the Enable User Awareness checkbox is shown. To disable User Awareness, clear the checkbox. To make changes to the configuration, click Edit settings.

At any time, you can also click Active Directory servers to define an AD server that the gateway can work with. Creating an AD server is also available in the Edit settings wizard.

Tracking

Select which traffic to log:

For blocked traffic

  • All

  • Outgoing

  • Incoming and internal

For allowed traffic

  • All

  • Outgoing

  • Incoming and internal

These settings apply to all the incoming and outgoing traffic blocked or accepted by the default Firewall and Applications & URL Filtering automatically generated rules.

These settings do not apply to automatically generated rules for VPN, DMZ, and wireless networks.

More Information

The Check Point Application Database contains more than 4,500 applications and about 96 million categorized URLs.

Each application has a description, a category, additional categories, and a risk level. You can include applications and categories in your Application Control and URL Filtering rules. If your appliance is licensed for the Application Control & URL Filtering blades, the database is updated regularly with new applications, categories and social networking widgets. This lets you easily create and maintain an up to date policy.

You can see the Application Database from:

  • The Block other undesired applications link.

  • The Applications & URLs link - This opens the Users & Objects > Applications & URLs page.

  • The Check Point AppWiki link - The AppWiki is an easy to use tool that lets you search and filter the Application and URL Filtering Database.