CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 3 of 3

Thread: Application Control with cleanup rule in Firewall policy

  1. #1
    Join Date
    2006-10-04
    Posts
    32
    Rep Power
    0

    Default Application Control with cleanup rule in Firewall policy

    Hello again. Just wondering how the Application Control stuff is supposed to work when there's a cleanup rule at the end of the firewall policy? The traffic gets dropped before it gets a chance to get to the Application Control blade. Am I missing something?

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,041
    Rep Power
    12

    Default Re: Application Control with cleanup rule in Firewall policy

    Quote Originally Posted by cdooer View Post
    Hello again. Just wondering how the Application Control stuff is supposed to work when there's a cleanup rule at the end of the firewall policy? The traffic gets dropped before it gets a chance to get to the Application Control blade. Am I missing something?
    I'm assuming you are referring to R77.30 or earlier management.

    The connection that will carry the application data must be explicitly permitted first by the main firewall policy based on IP addresses and port numbers. In the case of TCP, there is no data/payload for APCL/URLF to start looking at via its policy until the TCP 3-way handshake is allowed to complete and data begins to flow.

    In R80+ management use of so-called ordered layers retains this basic methodology, and the different blade policies that were represented on different tabs across the top of the R77* SmartDashboard are instead shown as separate policy layers on the left hand side under the "Security Policies" tab of the R80+ SmartConsole.

    Unified/inline layers can be used with R80.10+ gateways and have some pretty interesting capabilities, including the ability to explicitly decide if the implied cleanup rule of a policy layer is an Accept or a Drop. Way beyond the scope of this post though. :-)
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  3. #3
    Join Date
    2006-10-04
    Posts
    32
    Rep Power
    0

    Default Re: Application Control with cleanup rule in Firewall policy

    Unfortunately that renders the AC blade somewhat useless...in my case anyway. I was hoping to be able get away from the need to track all of the IP's associated with O365.

Similar Threads

  1. firewall / app control policy synergy
    By DannyW in forum Application Control Blade
    Replies: 4
    Last Post: 2015-08-28, 18:06
  2. Replies: 6
    Last Post: 2015-02-05, 08:34
  3. IA Access Role Policy fails to match traffic in Application Control Blade policy
    By edwardwaithaka in forum Identity Awareness Blade
    Replies: 2
    Last Post: 2014-03-26, 03:39
  4. Cleanup RULE-LOG
    By manuadoor in forum SmartView Tracker
    Replies: 6
    Last Post: 2009-11-23, 21:15
  5. firewall log management / rule cleanup
    By galamayur in forum SmartView Tracker
    Replies: 0
    Last Post: 2007-02-14, 10:24

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •