Configuring the Firewall Access Policy and Blade

These sections explain how to configure the Firewall Access Policy and Blades in a streamlined workflow. You can set the default Access Policy control level, set the default applications and URLs to block and allow secure browsing, and configure User AwarenessClosed A Check Point software blade designed to associate users to IP addresses for logging and control purposes..

Follow these steps to set up and manage your organization's security policy effectively.

Getting Started with Firewall Access Policy Configuration

The Access Policy defines the security requirements for your firewall. It manages incoming, internal, and outgoing traffic and includes these components:

  • Firewall Policy - Manages packet inspection rules.

  • Application & URL Filtering - Controls Internet browsing and application usage.

Follow these steps to configure and manage your organization's security policy:

  1. Go to the Access Policy view > Firewall section > Blade Control page to configure the Firewall Access Policy.

    This is the interface to define the default policy for incoming, internal, and outgoing traffic to and from your organization. Configurations in the Firewall Blade Control page are shown as automatically generated system rules at the bottom of the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase..

  2. To define manual rules that are exceptions to the default policy defined in this page, go to the Firewall Policy page. You can also define and view the rule based policy.

  3. On the Firewall Servers page, define the default access policy for specific servers within your organization and manage the automatically generated system rules.

Configuring the Firewall Access Policy

  1. Navigate to the Access Policy view > Firewall section > Blade Control page.

  2. Select one of these options to set the default Access Policy:

    • Strict - Blocks all traffic unless explicitly allowed. Use this option for maximum security.

      In this mode, your policy can only be defined through the Servers page and by manually defining access policy rules in the Access Policy > Firewall Policy page.

    • Standard - Default option. Allows outgoing traffic and internal communication, and blocks incoming unencrypted traffic from untrusted sources.

    • Off - Disables the firewall and allows unrestricted traffic. Manually defined rules are not applied. Do not use this option in secured environments.

Note - When Cloud Services manages the blade, a lock icon shows. You cannot toggle between the on and off states. If you change other policy settings, the change is only temporary. Any changes made locally are overridden in the next synchronization between the gateway and Cloud Services.

  1. Click all services.

  2. Select one of these:

    • Block all outgoing services except the following - Select which services to allow.

    • Allow all outgoing services - To allow all services.

  3. Click Save.

  1. Go to the Access Policy > Blade Control page.

  2. Add manual rules for exceptions or specific requirements:

    • If no manual rules are configured, click the Firewall Policy link to add manual rules to the Firewall policy.

    • To view and modify existing rules, click manual rules.

  3. Click Servers to see how many servers are defined in the appliance and to define server specific policies. A server object is an IP address that can have a specific access policy assigned to it.

    1. If no servers are configured, click Add a server.

    2. Define NAT rules if applicable (for example, port forwarding).

  4. Automatically generated access rules to servers are created above the default policy rules and can be seen in the Access Policy > Firewall Policy page. You can also create exception rules for servers.

Application & URL Filtering

In the Application & URL FilteringClosed Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. section you can define how to handle applications and URL categories on traffic from your organization to the Internet.

Application & URL Filtering are service based features and require Internet connectivity to download the latest signature package for new applications and to contact the Check Point cloud for URL categorization.

Best Practice - We recommend that you block browsing to security risk categories and applications by default.

You can configure additional applications and categories to block by default according to your company's policy. In addition, you can also select to limit bandwidth consumption by specific applications to improve bandwidth control.

  1. In the Access PolicyFirewallBlade Control page, go to the Application and URL Filtering section.

  2. Select the applicable options:

    • Block security risk categories - Block applications and URLs that can be a security risk and are categorized as spyware, phishing, botnet, spam, anonymizer, or hacking. This option is selected by default.

    • Block inappropriate content - Block Internet access to websites with inappropriate content such as sex, violence, weapons, gambling, and alcohol.

    • Block file sharing applications - Block file-sharing from typically illegal sources such as torrents and peer-to-peer applications. 

    • Block other undesired applications - Click this option to manage your basic Application & URL Filtering policy. Manually add and block applications or categories of URLs to a group of undesired applications. You can also create a new URL or application if it is not in the database.

    • Limit bandwidth consuming applications - Applications that use a lot of bandwidth can decrease performance necessary for important business applications. This option gives accelerated QoS (bandwidth control) for applications. When you select this option, P2P file sharing, media sharing, and media streams are selected by default but you can edit the group to add applications or categories that you want to limit with regards to the amount of bandwidth they consume.

      Note - You must indicate the maximum bandwidth limit according to your Internet connection upload and download bandwidth. Consult your ISP for this information. For the limit to be effective, it must be lower than the actual bandwidth supplied by your ISP. Upload and download bandwidths are usually not the same.

Use this mode to enforce rules based only on URL categories:

  • Predefined applications are not blocked.

  • Custom applications and URLs are enforced.

The default policy defined here is viewed as automatically generated rules in the bottom of the Outgoing traffic RuleClosed A set of traffic parameters and other conditions in a Rule Base that cause specified actions to be taken for a communication session. Base in the Access Policy > Policy page.

Tracking and Logs

To configure traffic logging:

  1. On the Access Policy Control page, go to Tracking.

  2. Specify the log options:

    • Blocked traffic - Options: All, Outgoing, Incoming and Internal

    • Allowed traffic - Options: All, Outgoing, Incoming and Internal

Notes:

  • These settings apply to all the incoming and outgoing traffic blocked or accepted by the default Firewall and Application & URL Filtering automatically generated rules.

  • These settings do not apply to automatically generated rules for VPN, DMZ, and wireless networks.

User Awareness

Configure the appliance to enforce access control for individual users and groups and show user-based logs instead of IP address based logs.

  1. Click Configure to set up how User Awareness recognizes users. When this is configured, you can see users in logs and also configure user based Access Policy rules.

    • If User Awareness is configured, the Enable User Awareness checkbox appears.

    • To disable User Awareness, clear the checkbox.

    • To make changes to the configuration, click Edit settings.

  2. Use AD-based authentication for seamless user recognition.The user database and authentication are all done through the AD server. When a user logs in to the AD server, the appliance is notified. Users from the AD server can be used as the Source in Access Policy rules.

    To define an AD server, click Active Directory servers. You can also create an AD server is also available in the Edit settings wizard.

  3. Enable Browser-Based Authentication for manually added local users.

    Users can be defined locally in the Users & Objects > Users page with a password. For the appliance to recognize the traffic of those users, you must configure Browser-Based Authentication and the specific destinations to which they must first be identified before accessing.

    Browser-Based Authentication is not usually used for all traffic but only for specific destinations because it requires the end user to log in manually through a dedicated portal.

Updates

To ensure accurate URL categorization and application recognition, make sure your database is updated regularly.

  1. Verify the update status under Application and URL Filtering > Update Status.

    • Up to date

    • Updated service unreachable - This usually is due to a loss in Internet connectivity. Check your Internet connection in the Device > Internet page and contact your ISP if the problem persists.

    • Not up to date - A new update package is ready to be downloaded but the scheduled hour for updates did not yet occur. Updates are usually scheduled for off-peak hours (weekends or nights).

  2. Schedule updates:

    1. Hover over the icon next to the update status and click Schedule Updates.

    2. Select the blades for which to schedule updates. You must manually update the rest of the blades when new updates packages are available and a Not up to date message is shown in the status bar at the bottom of the WebUI application.

    3. Select a Recurrence time frame:

      • Hourly - Enter the time interval for Every x hours.

      • Daily - Select the Time of day.

      • Weekly - Select the Day of week and Time of day.

      • Monthly - Select the Day of month and Time of day.

    4. Click Save.

Additional Information

The Check Point Application Database contains more than 4,500 applications and 96 million categorized URLs.

Each application has a description, a category, additional categories, and a risk level. You can include applications and categories in your Application ControlClosed Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. and URL Filtering rules. If your appliance is licensed for the Application Control & URL Filtering blades, the database is updated regularly with new applications, categories and social networking widgets. This lets you easily create and maintain an up to date policy.

You can see the Application Database from these links in the WebUI:

  • Block other undesired applications

  • Applications & URLs - This opens the Users & Objects > Applications & URLs page.

  • Check Point AppWiki - Use this tool to search and filter the Application & URL Filtering Database.