Clean up rule in Application Control & Url filtering layer

[nickliako]

Hello.

1.
I was wondering whether it is possible to define that the Application Control & URL filtering layer handles only http(s) protocols and nothing else ?

The issue I am asking that is the following:

As part of my network policy I want to allow pings from Inside Lan to Any
As part of my App Url & filtering policy (ordered layer) my clean up rule is the default one which is From Any to Any Deny

With that policy if i try to ping 1.1.1.1 from a computer which resides on the inside, then I get blocked by the Clean Up rule of Application Control & URL filtering layer.

Why do I need to define the same rule again in the Application Layer ie Allow pings from Inside LAN to Any in order for this to work ?


2. What's the best practice with regard to the Clean Up Rule in an App & URL filtering policy ?

Thanks in advance.

[mcnallym]

1.) ALL Traffic that gets passed by the Firewall Blade will get handed off to the Application Control/URL Filtering, not just HTTP/HTTPS in R77.30. With R80.10 then if kept the AppCtrl/URL as an ordered layer then get the same behaviour. This is by design as many of the applications aren't http/https related.

If you just want your AppCtrl/URL to handle HTTP/HTTPS then you would need to use R80.x and use a Inline Layer to call the AppCtrl/URL as opposed to an ordered layer. In the rule calling the layer then only permit http/https as the Services so only http/https traffic matching that rule gets passed over to the inline layer.

You have to have the rule as ALL traffic is passed to the ordered layer your clean up of Any Any Block will match the ICMP traffic and so drop on the AppCtrl URL Cleanup that you have

Whenever you use the Any Any Deny on the AppCtrl Policy when is an ordered layer then you basically end up replicating your Firewall Blade into the AppCtrl/URL policy as well.



2.) In terms of AppCtrl/URL then the last action as always stated to me by Check Point is to permit.

AppCtrl should be structed as such ( according to everything Check Point told me )


A.) Resources that everyone should have access too but may be blocked lower down in terms of categories

B.) Conditional Access Rules - In pairs where have Access Role permit access to resources, then a rule underneath for same resources denying access

C.) Resources that nobody should access, typically Categories which is why may need rules permitting access to specific apps within a category that may not want access to generally. ie in A then would have OneDrive if want to permit sharing via OneDrive and then in C would block File Storage and Sharing. This would allow access to OneDrive but would block other File Storage and Sharing Applications being used.

D.) Clean Up Rule that permits Any Recognised Application not already blocked