Working with the Firewall Access Policy
Firewall Policy
In the Access Policy tab > Firewall section > Policy page you can manage the Firewall Rule Base All rules configured in a given Security Policy. Synonym: Rulebase.. You can create, edit, delete, enable or disable rules.
In the Access Policy tab > Blade Control page you determine the basic firewall policy mode:
-
In Standard mode, this page shows you both automatically generated rules based on the configuration of your default policy and manually defined rules as exceptions to this default policy.
-
In Strict mode, all access is blocked by default and this page is the only way to configure access rules for your organization.
The Rule A set of traffic parameters and other conditions in a Rule Base that cause specified actions to be taken for a communication session. Base is divided into two sections. Each of the two sections represent a different security policy - how your organization browses to the Internet (the world outside your organization) and the security policy to access your organization's resources (both from within and from outside your organization). At the top of the page there are three links that let you see both or only one of the sections.
-
Outgoing access to the Internet - For all outgoing traffic rules. In this Rule Base you determine the policy to access the Internet outside your organization. Commonly the policy here is to allow the basic traffic, but you can block applications and URLs based on your company's discretion. In the Access Policy > Firewall Blade Control page you can configure the default policy to block applications and URLs. This page lets you add manual rules as exceptions to the default policy. You can also customize messages that are shown to users for specified websites when they are blocked or accepted by the Rule Base (see below). You can also use an Ask action for applications or URLs that lets the end user determine whether browsing is for work related purposes or not. For example, we recommend you add a rule that asks the users before browsing to uncategorized URLs. Such a rule can disrupt possible bot attacks.
-
Incoming, internal and VPN traffic - For all incoming, internal and VPN traffic rules. In this Rule Base, you determine the policy to access your organization's resources. All internal networks, wireless networks, and external VPN sites are considered part of your organization and traffic to them is inspected in this Rule Base. Commonly the policy here is to block traffic from outside your organization into it and allow traffic within your organization.
In Standard mode, you can configure in various pages a more granular default policy:
-
Traffic from specific sources into your organization can be blocked or accepted by default. This configuration can be found in each specific sources' edit mode:
-
External VPN sites - Configure default access from/to VPN > Site to Site Blade Control page.
-
Remote Access VPN An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. users - Configure default access from VPN > Remote Access Blade Control page.
-
Wireless networks - Configure default access for each wireless network from the Access tab in each wireless network's edit window in the Device > Wireless Network page.
-
DMZ network - Configure default access from the DMZ object's edit window in the Device > Local Network page.
Note - DMZ is not supported in 1530 / 1550 appliances.
-
-
Traffic to defined server objects as configured in each server's edit window in the Access Policy > Firewall Servers page.
This page lets you add manual rules as exceptions to the default policy. In Strict mode, the default policy blocks everything and you configure access only through manual rules.
Within each section there are these sections:
-
Manual Rules - Rules that you manually create.
-
Auto Generated Rules - Rules that the system determines based on the initial Firewall Policy mode (Strict or Standard) as explained above. These rules are also influenced by other elements in the system. For example, when you add a server, a corresponding rule is added to the Incoming, internal and VPN traffic section.
These are the fields that manage the rules for the Firewall Access Policy:
Rule Base Field |
Description |
||
---|---|---|---|
No. |
Rule number in the Firewall Rule Base. |
||
Name |
Rule name. |
||
Hits In a Rule Base, the number of connections that matched a specific rule. |
Displays the Hit Count, the number of connections that each security rule in the Access Rule Base matches during a specified time frame:
To select the timeframe (1, 7 or 30 days): In the top toolbar of the Outgoing Internet Access Rules and the Incoming, Internal and VPN Traffic, click More > Hit Count settings > Hit Count report time frame.
|
||
Source |
IP address, network object, user group, or domain object that initiates the connection. Starting in R81.10.15, you can have a maximum of 100 sources in the same rule. |
||
Destination |
IP address or network object that is the target of the connection. Starting in R81.10.15, you can have a maximum of 100 destinations in the same rule. |
||
Applications and Services |
Applications, web sites and network services that are accepted or blocked. You can filter the list by common applications, categories, custom defined applications, URLs or groups. For more information, see Managing Applications & URLs. This field is only shown in the Outgoing access to the Internet section. Starting in R81.10.15, you can have a maximum of 100 applications and services in the same rule. |
||
Action |
Firewall action that is done when traffic matches the rule: Accept or Block. For outgoing traffic rules, you can use the Customize messages option to configure "Ask UserCheck rule action that blocks traffic and files and shows a UserCheck message. The user can agree to allow the activity." or "Inform" actions in addition to the regular Block or Accept actions. The messages shown can be set for these action types:
If a time range is set for the rule, a clock icon is displayed. |
||
Log |
The tracking and logging action that is done when traffic matches the rule. |
||
Comment / |
Details shown immediately below the above fields for:
|
The "Ask" action
The outgoing Rule Base gives the option to set an Ask action instead of just allow or block for browser based applications. There are several commonly used cases where this is helpful:
-
This action can be used for traffic that is normally not allowed in your organization, but you do want it to be available for work-related purposes. End users are asked if they need to browse for work-related purposes and can continue without requiring the administrator to make changes to the access policy for this single event. For example, traffic to Facebook is generally blocked but you want your HR department to be able to access it for work-related purposes.
-
This action for traffic to uncategorized URLs can also give security against malware that managed to be installed inside your organization. Such malware is blocked by the Ask action.
Configuring Access Rules
To create a new manually defined access rule:
-
Click the arrow next to New. When the page shows both Rule Bases, click New in the appropriate table.
-
Click one of the available positioning options for the rule:
Top Rule, Bottom Rule, Above Selected, or Under Selected.
The Add Rule window opens. It shows the rule fields in two ways:
-
A rule summary sentence with default values.
-
A table with the rule base fields in a table.
-
-
Click the links in the rule summary or the table cells to select network objects or options that fill out the rule base fields. See the descriptions above.
Note - The Application field applies only to outgoing rules.
In the Source field, you can optionally select between entering a manual IP address (network), a network object, a domain object, or a user group (to configure a user based policy, make sure the User Awareness A Check Point software blade designed to associate users to IP addresses for logging and control purposes. blade is activated). Users can be defined locally on the appliance or externally in an Active Directory.
For more details, see the Access Policy > User Awareness Blade Control page.
-
In the Write a comment field, enter optional text that describes the rule. This is shown as a comment below the rule in the Access Policy.
-
To limit the rule to a certain time range, select Apply only during this time and select the start and end times.
-
In outgoing rules, to limit the download traffic rate, select Limit download traffic of applications to and enter the Kpbs rate.
-
In outgoing rules, to limit the upload traffic rate, select Limit upload traffic of applications to and enter the Kpbs rate.
-
In incoming rules, to match only for encrypted VPN traffic, select Match only for encrypted traffic.
-
Click Apply
The rule is added to the outgoing or incoming section of the Access Policy.
To clone a rule:
Clone a rule to add a rule that is almost the same as the one that already exists.
-
Select a rule and click Clone.
-
Edit the fields as necessary.
-
Click Apply
To edit a rule:
|
Note - For Access Policy rules, you can only edit the tracking options for automatically generated rules. |
-
Select a rule and click Edit.
-
Edit the fields as necessary.
-
Click Apply
To delete a rule:
-
Select a rule and click Delete.
-
Click Yes in the confirmation message.
To enable or disable a rule:
-
To disable a manually defined rule that you have added to the rule base, select the rule and click Disable.
-
To enable a manually defined rule that you previously disabled, select the rule and click Enable.
To change the rule order:
-
Select the rule to move.
-
Drag and drop it to the necessary position.
Note - You can only change the order of manually defined rules.
Updatable Objects
An updatable object is a network object which represents an external service, such as Office 365, AWS, Geo locations, and more. You can select from the list of updatable objects. The categories depend on the online service update.
External services providers publish lists of IP addresses or Domains or both to allow access to their services. These lists are dynamically updated. Updatable objects derive their contents from these published lists of the providers, which Check Point uploads to the Check Point cloud. The updatable objects are updated automatically on the Security Gateway A dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. each time the provider changes a list. There is no need to install policy for the updates to take effect.
For a list of currently supported objects, see sk173416.
You can import updatable objects to use in the firewall policy rules.
To import an updatable object:
-
In the Firewall Access Policy page, in the Rule Base, click New. If necessary, specify the rule order.
-
Click Updatable objects and select the objects you want.
-
Click Import.
-
Edit the rule so the source and destination use the specified countries.
-
Select the Action and Log.
-
Optional - Enter a comment.
-
Optional - Apply limitations such as time or traffic limits.
-
Click Apply.
Customizing Messages
You can customize messages to let the Security Gateway communicate with users. This helps users understand that some websites are against the company's security policy. It also tells users about the changing Internet policy for websites and applications. When you configure such messages, the user's Internet browser shows the messages in a new window when traffic is matched on a rule using one of the message related actions.
These are the Action options and their related notifications:
Rule Base action |
Notifications |
---|---|
Accept and Inform |
Shows an informative message to users. Users can continue to the application or cancel the request. |
Block and Inform |
Shows a message to users and blocks the application request. |
Ask |
Shows a message to users and asks them if they want to continue with the request or not. See above for more details. |
To customize messages:
-
Click Customize messages in the Outgoing access to the Internet section.
-
Configure the options in each of these tabs:
-
Accept and Inform
-
Block and Inform
-
Ask
-
-
Configure the applicable fields for each of the notifications:
-
Title - Keep the default or enter a different title.
-
Subject - Keep the default or enter a different subject.
-
Body - Keep the default or enter different body text. You can click Optional keywords for a list of keywords that you can add in the body text to give the user more information.
-
Ignore text (only for Ask) - This is the confirmation message for the Ask user message. Keep the default text or enter different text
-
User must enter a reason (only for Ask) - Select this checkbox if users must enter an explanation for their activity. The user message contains a text box for entering the reason.
-
Fallback action - Select an alternative action (Block or Accept) for when the notification cannot be shown in the browser or application that caused the notification, most notably in non-web applications. If it is determined that the notification cannot be shown in the browser or application, the behavior is:
-
If the Fallback action is Accept - The user can access the website or application.
-
If the Fallback action is Block - The Security Gateway tries to show the notification in the application that caused the notification. If it cannot, the website or application is blocked, and the user does not see a notification.
-
-
Frequency - You can set the number of times that users get notifications for accessing applications that are not permitted by the policy. The options are:
-
Once a day
-
Once a week
-
Once a month
For example, in a rule that contains in the Application - Social Networking category, if you select Once a day as the frequency, a user who accesses Facebook multiple times get one notification.
-
-
Redirect the user to URL - You can redirect the user to an external portal, not on the gateway. In the URL field, enter the URL for the external portal. The specified URL can be an external system. It gets authentications credentials from the user, such as a user name or password. It sends this information to the gateway. Only applicable for the Block and Inform notification.
-
-
Click the Customize tab to customize a logo for all portals shown by the appliance (Hotspot An area that offers a wireless local area network with Internet access, through a router connected to a link to an Internet service provider. and captive portal used by User Awareness). Click Upload, browse to the logo file and click Apply. If necessary, you can revert to the default logo by clicking Use Default.
-
Click Apply