PDA

View Full Version : Gmail access using Application Control Blade



Satish .J
2012-12-18, 04:52
Need some help for giving gmail access using Application Control Blade for specific people and the rest to be blocked . I am using Checkpoint Firewall R75.20.

mcnallym
2012-12-18, 08:53
Define an AccessRole for the people that will need access to gmail.

The Access Role should contain the users that will need the access. Easiest way is probably an AD User Group then point the Access Role at that group. If there is already an AD Group and Access role suitable then just reuse that .

Add a rule that allows the Access Role to gmail as an appllication

Src = Access Role
Dst = Internet
Applications/Sites = Gmail
Action = Accept

Then add a second rule immediately below

Src = Any
Dst = Internet
Applicatin/Sites = Gmail
Action = Drop

The first rule will allow the members of the LDAP Group access to Gmail

The second rule beneath will drop other people attempting to access Gmail.

Is effectively how you configure all restricted access to applications / sites, using two rules. Obviously can add multiple sites / applications if the same Access Role needs accesss to them rather then seperate sets of riules.

Satish .J
2012-12-19, 04:00
Thanks for your reply, I am not using AD users for configuring the Gmail.
I will explain you how i have done.

I have created a Group for HR(members in HR team) and Finance(members in finance team) and created a rule and opened http, https, pop3,imap ports, so everything working fine. Now i want to block Gmail for rest for all using Application control Blade

Rule 1:

Src = HR
Dst = Any
VPN - Any
Service = pop3, imap, smtp, http, https
Action : Allow
Track = Log
Instaled = Gateway

Rule 2:

Src = Finance
Dst = Any
VPN - Any
Service = pop3, smtp, http, https
Action : Allow
Track = Log
Instaled = Gateway

Rule 3 :

Src = Any
Dst = Any
VPN - Any
Service = pop3, imap, smtp, http
Action : Drop
Track = Log
Instaled = Gateway

Cleanup rule :

Src = Any
Dst = Any
VPN - Any
Service = Drop
Action : Log
Instaled = Gateway

For allowing Gmail access using Application Control Blade - This works using normal rule in firewall and i can see the logs it shows using application control blade

Src = HR & Finance
Dst = Internet
Applications/Sites = Gmail
Action = Accept

For allowing Gmail access using Application Control Blade for 1 particular user - But this application rule is not working for me and i can see the user1 is dropping the the cleanup rule

Src = user1
Dst = Internet
Applications/Sites = Gmail
Action = Accept

For blocking Gmail access using Application Control Blade

Src = Any
Dst = Internet
Applications/Sites = Gmail
Action = Block

When i have created this rule it's checking only the rules in the Firewall and it's checking the cleanup rule at last and it's dropping.
Please help me on this.




Define an AccessRole for the people that will need access to gmail.

The Access Role should contain the users that will need the access. Easiest way is probably an AD User Group then point the Access Role at that group. If there is already an AD Group and Access role suitable then just reuse that .

Add a rule that allows the Access Role to gmail as an appllication

Src = Access Role
Dst = Internet
Applications/Sites = Gmail
Action = Accept

Then add a second rule immediately below

Src = Any
Dst = Internet
Applicatin/Sites = Gmail
Action = Drop

The first rule will allow the members of the LDAP Group access to Gmail

The second rule beneath will drop other people attempting to access Gmail.

Is effectively how you configure all restricted access to applications / sites, using two rules. Obviously can add multiple sites / applications if the same Access Role needs accesss to them rather then seperate sets of riules.

mcnallym
2012-12-20, 05:20
I think you are misunderstanding how the Check Point firewall is working, so will take back to basics. Not trying to offend anyone so apologies if you understand this already.
If you aren't using Identity Awareness and Active Dircectory Groups then how are you capturing the identity of User1 so that can be used in the Source Column.

Before the traffic is inspected by the AppControl Blade then the traffic has to match a rule in the Firewall Policy whereby the traffic is accepted by the Firewall Policy.
Looking at the rules you have said you have entered then User1 does not appear to be able to pass https traffic to the Internet, (not sure how you are gathering the identity either)

Taking this through your rules on a rule by rule basis

Rule 1.) Is the User1 part of the HR group - No, traffic is not matched and proceed to Rule 2
Rule 2.) Is the User1 part of the Finance group - No, traffic is not matched and proceed to Rule 3
Rule 3.) No User defined, but gmail authentication is https which is not listed here, No, traffic is not matched and proceed to Rule 4
Rule 4.) Drop All Traffic - yes, traffic is matched and the traffic is dropped so no need to pass to App Control Blade for inspection.

The idea of the App Control blade is to give controlled access to the sites and applications to just the specific users that should have it, as such would expect something more like this

Firewall Policy

Src = Internal-Lans
Dst = Not(Internal-Lans, DMZ-Lans)
Srv = http, https, dns, smtp, pop3, imap
Action = Accept
Track Log

This will allow all machines on the Internal Networks access to the Internet with http, https, dns, smtp, pop3 and imap

Src = Any
Dst = Any
Srv = Any
Action = Drop
Track = Log

Drops all other traffic

AppControl Policy

Src = HR, Finance
Dst = Internet
Applications/Sites = gmail
Action = Allow
Track = Log

Src = Any
Dst = Internet
Applications/Sites = gmail
Action = Deny
Track = Log

As such if we go through now then see what happens

Firewall Policy

Rule 1) User is located on the Internal-Lan so matches, and is trying https so again matches. Traffic is accepted and inspection passes to the AppControl Blade

App Control Blade

Rule 1) Is user part of HR, or Finance groups, accessing gmail. - NO Traffic is not matched to the rule and so proceed to rule 2
Rule 2) Src Matches, Destination Matches, Application Matches - Yes, Traffic is matched to rule and the traffic is denied so the AppControl Blade drops the traffic

Satish .J
2012-12-24, 07:43
Very good explanation.
Do u mean to say that rule is mandatory in Firewall to write any rule in Application Control Blade?

Satish .J
2012-12-24, 08:26
Many Thanks :-) now i understood how to use Application Control Blade and now i am able to give Gmail access using Application Control Blade.

mcnallym
2013-01-02, 03:44
Very good explanation.
Do u mean to say that rule is mandatory in Firewall to write any rule in Application Control Blade?

In order for the Application Control Blade to become involved then the traffic must be accepted by a rule on the Firewall Blade.

As such in the Firewall Blade you give the user / machine / network access to the internet with http/https etc.
You then restrict what they can access in terms of applications / sites etc using the Application Control Blade policy.

If the Firewall Blade policy doesn't permit the traffic then it is dropped and the Application Control Policy is not looked at.