CP R77 ApplicationControlURLFiltering AdminGuide
CP R77 ApplicationControlURLFiltering AdminGuide
URL Filtering
R77 Versions
Administration Guide
21 May 2014
Classification: [Protected]
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
(http://supportcontent.checkpoint.com/documentation_download?ID=24853)
To learn more, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
For more about this release, see the R77 home page
(http://supportcontent.checkpoint.com/solutions?id=sk92965).
Revision History
Date
Description
19 May 2014
09 December 2013
23 August 2013
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:[email protected]?subject=Feedback on Application Control and URL Filtering
R77 Versions Administration Guide).
Contents
Important Information ............................................................................................................ 3
Terms ...................................................................................................................................... 7
Introduction to Application Control and URL Filtering ....................................................... 8
The Need for Application Control ......................................................................................... 8
The Need for URL Filtering .................................................................................................. 8
The Check Point Solution for Application Control and URL Filtering .................................... 9
Main Features ..................................................................................................................... 9
Getting Started ..................................................................................................................... 10
Application Control and URL Filtering Licensing and Contracts ......................................... 10
SmartDashboard Toolbar .................................................................................................. 10
Enabling Application Control on a Security Gateway ......................................................... 11
Enabling URL Filtering on a Security Gateway .................................................................. 11
Creating an Application Control and URL Filtering Policy .................................................. 11
Creating Rules .............................................................................................................. 12
Managing Application Control and URL Filtering .............................................................. 17
The Policy Rule Base ........................................................................................................ 17
Default Rule and Monitor Mode .................................................................................... 17
Parts of the Rules ......................................................................................................... 18
Limit Objects ................................................................................................................. 22
Analyzing the Rule Base (Hit Count) ............................................................................. 22
UserCheck Interaction Objects ..................................................................................... 24
The Application and URL Filtering Database ..................................................................... 28
Security Category Updates ........................................................................................... 28
Application Categories .................................................................................................. 28
Application Risk Levels ................................................................................................. 29
Using the AppWiki ........................................................................................................ 29
Updating the Application and URL Filtering Database................................................... 29
The Application and URL Filtering Overview Pane ............................................................ 31
My Organization............................................................................................................ 31
Messages and Action Items .......................................................................................... 31
Detected in My Organization ......................................................................................... 31
Top Users ..................................................................................................................... 31
AppWiki ............................................................................................................................. 31
GatewaysPane .................................................................................................................. 32
Applications/Sites Pane ..................................................................................................... 32
Creating Applications or Sites ....................................................................................... 32
Creating Categories ...................................................................................................... 33
Creating Application or Site Groups .............................................................................. 33
Exporting and Importing Applications or Sites ............................................................... 34
Advanced Settings for Application and URL Filtering ......................................................... 34
HTTP Inspection on Non-Standard Ports ...................................................................... 34
Overriding Categorization ............................................................................................. 34
HTTPS Inspection ............................................................................................................. 35
How it Operates ............................................................................................................ 35
Configuring Outbound HTTPS Inspection ..................................................................... 36
Configuring Inbound HTTPS Inspection ........................................................................ 38
The HTTPS Inspection Policy ....................................................................................... 39
Gateways Pane ............................................................................................................ 42
Adding Trusted CAs for Outbound HTTPS Inspection................................................... 43
HTTPS Validation ......................................................................................................... 44
HTTP/HTTPS Proxy...................................................................................................... 46
Security Gateway Portals .............................................................................................. 47
Terms
Application
A software program that runs on a server,
website, desktop computer, or mobile device.
Application Control
The ability to create rules that control user or
computer access to specified applications.
Gateway
A computer or appliance that controls
communication between different networks.
Rule
A set of traffic parameters and other conditions
that cause specified actions to be taken for a
communication session.
Security Gateway
A computer or appliance that inspects traffic and
enforces Security Policies for connected network
resources.
Site
1. A collection of related Web pages or content
accessible with a browser over the Internet or an
Intranet. 2. In remote access clients, the gateway
that users connect to through the VPN.
Example: You can block sites that are not
appropriate for your organization.
Term Type: Check Point
SmartConsole
A Check Point GUI application used to manage
security policies, monitor products and events,
install updates, provision new computers and
appliances, and manage a multi-domain
environment.
SmartDashboard
A Check Point client used to create and manage
the security policy.
URL Filtering
The ability to create rules that control user and
computer access to specified sites based on their
URL.
Web Site
A collection of related Web pages or content
accessible with a browser over the Internet or an
Intranet.
Chapter 1
Introduction to Application Control
and URL Filtering
In This Section:
The Need for Application Control .............................................................................. 8
The Need for URL Filtering ....................................................................................... 8
The Check Point Solution for Application Control and URL Filtering ........................ 9
Main Features ........................................................................................................... 9
Malware threats - Application use can open networks to threats from malware. Popular applications like
Twitter, Facebook, and YouTube can cause users to download viruses unintentionally. File sharing can
easily cause malware to be downloaded into your network.
Bandwidth hogging - Applications that use a lot of bandwidth, for example, streaming media, can limit
the bandwidth that is available for important business applications.
Loss of Productivity - Employees can spend time on social networking and other applications that can
seriously decrease business productivity.
Employers do not know what employees are doing on the internet and how such use affects them.
When URL Filtering is set, employee data is kept private when attempting to determine a site category. Only
the host part of the URL is sent to the Check Point Online Web Service. This data is also encrypted.
Main Features
Granular Application Control Identify, allow, or block thousands of applications and internet sites.
This provides protection against the increasing threat vectors and malware introduced by internet
applications and sites.
Largest application library with AppWiki Comprehensive application control that uses the industrys
largest application library. It scans for and detects more than 4,500 applications and more than 100,000
Web 2.0 widgets and categories.
Integrated into Security Gateways - Activate Application Control and URL Filtering on Security
Gateways including UTM-1, Power-1, IP Appliances, and IAS Appliances.
Central Management Lets you centrally manage security Policies for Application Control and URL
Filtering from one user-friendly console for easy administration.
SmartEvent Analysis - Use SmartEvent advanced analysis capabilities to understand your application
and site traffic with filtering, charts, reporting, statistics, and more, of all events that pass through
enabled Security Gateways.
Chapter 2
Getting Started
In This Section:
Application Control and URL Filtering Licensing and Contracts ............................. 10
SmartDashboard Toolbar ........................................................................................ 10
Enabling Application Control on a Security Gateway ............................................. 11
Enabling URL Filtering on a Security Gateway ....................................................... 11
Creating an Application Control and URL Filtering Policy ...................................... 11
It is easy to get started with Application Control and URL Filtering after you install and configure your R77
environment. Application Control can be enabled on R75 or higher gateways and URL Filtering can be
enabled on R75.20 or higher gateways.
The Message and Action Items section of the Overview pane of the Application and URL Filtering tab.
The Check Point User Center when you log in to your account.
SmartDashboard Toolbar
You can use the SmartDashboard toolbar to do these actions:
Icon
Description
Open the SmartDashboard menu. When instructed to select menu options, click this
button to show the menu.
For example, if you are instructed to select Manage > Users and Administrators,
click this button to open the Manage menu and then select the Users and
Administrators option.
Save current policy and all system objects.
Open a policy package, which is a collection of Policies saved together with the same
name.
Refresh policy from the Security Management Server.
Getting Started
Icon
Description
Open the Database Revision Control window.
Change global properties.
Verify Rule Base consistency.
Install the policy on Security Gateways or VSX Gateways.
Open SmartConsoles.
The Policy pane contains your Rule Base, which is the primary component of your Application Control
and URL Filtering Policy. Click the Add Rule buttons to get started.
Look through the AppWiki to learn which applications and categories have high risk levels. Find ideas of
applications and categories to include in your Policy.
Application Control and URL Filtering Administration Guide R77 Versions | 11
Getting Started
Creating Rules
Here are examples of how to create different types of rules.
Monitoring Applications
Scenario: I want to monitor all Facebook traffic in my organization. How can I do this?
Source - Keep it as Any so that it applies to all traffic from the organization.
Destination - Keep it as Internet so that it applies to all traffic going to the internet or DMZ.
Applications/Sites - Click the plus sign to open the Application viewer. Add the Facebook
application to the rule:
Start to type "face" in the Search field. In the Available list, see the Facebook application.
Install On - Keep it as All or choose specified Security Gateways on which to install the rule.
The rule allows all Facebook traffic but logs it. You can see the log data in SmartView Tracker and
SmartEvent to monitor how people use Facebook in your organization.
Blocking Applications
Scenario: I want to block pornographic sites in my organization. How can I do this?
Getting Started
Action - Block, and optionally, a UserCheck Blocked Message. The message informs users that
their actions are against company policy and can include a link to report if the website is included in
an incorrect category.
Track - Log
Name
Source
Destination
Applications/
Sites
Action
Track
Install On
Block
Pornography
Any
Internet
Pornography
Block
Blocked
Message
Log
All
The rule blocks traffic to pornographic sites and logs attempts access sites that are in the pornography
category. Users who violate the rule receive a customizable UserCheck message that informs them that the
application is blocked according to company security policy. The message can include a link to report if the
website is included in an incorrect category.
Important - A rule that blocks traffic, with the Source and Destination parameters
defined as Any, also blocks traffic to and from the Captive Portal.
Add a Limit object to a rule to limit the bandwidth that is permitted for the rule.
Add one or more Time objects to a rule to make it active only during specified times.
Limits the upload and download throughput for streaming media in the company to 1 Gbps.
To create a rule that allows streaming media with time and bandwidth limits:
1. In the Application and URL Filtering tab of SmartDashboard, open the Policy pane.
2. Click one of the Add Rule toolbar buttons to add the rule in the position that you choose in the Rule
Base. The first rule matched is applied.
3. Make a rule that includes these components:
Action - Allow, and a Limit object that specifies the maximum upload and download throughput.
Time - Add a Time object that specifies the hours or time period in which the rule is active.
Name
Action
Track
Install
On
Time
Limit
Streaming
Media
Any
Allow
Upload_1Gb
ps
Up: 1 Gbps
Log
All
Non-peak
Internet
Media Streams
Note - In a cluster environment, the specified bandwidth limit is divided between all defined cluster
members, whether active or not. For example, if a rule sets 1Gbps limit in a three member cluster,
each member has a fixed limit of 333Mbps.
Getting Started
You have already created an Access Role that represents all identified users in the organization. You
can use this to allow access to applications only for users who are identified on the Security Gateway.
You want to allow access to the Radmin Remote Access tool for all identified users.
You want to block all other Remote Access tools for everyone within your organization. You also want to
block any other application that can establish remote connections or remote control.
Destination - Internet
Action - Allow
Applications/Sites - Radmin
2. Create a rule below the rule from step 1. Include these components:
Source - Any
Destination - Internet
Action - Block
Name
Source
Destination
Applications/Sites
Action Track
Install On
Allow Radmin to
Identified Users
Identified_us
ers
Internet
Radmin
Allow
None
All
Block other
Remote Admin
Any
Internet
Remote
Administration Tool
Block
Log
All
Because the rule that allows Radmin is above the rule that blocks other Remote Administration tools, it
is matched first.
The Source of the first rule is the Identified Users access role. If you use an access role that represents
the Technical Support department, then only users from the technical support department are allowed to
use Radmin.
For more about Access Roles and Identity Awareness, see the R77 Identity Awareness Administration
Guide (http://supportcontent.checkpoint.com/documentation_download?ID=24805).
Blocking Sites
Scenario: I want to block sites that are associated with categories that can cause liability issues. Most of
these categories exist in the Application and URL Filtering Database but there is also a custom defined site
that must be included. How can I do this?
You can do this by creating a custom group and adding all applicable categories and the site to it. If you
enable Identity Awareness on a Security Gateway, you can use it together with URL Filtering to make rules
that apply to an access role. Use access role objects to define users, machines, and network locations as
one object.
Getting Started
In this example:
You have already created an Access Role that represents all identified users in the organization.
You want to block sites that can cause liability issues for everyone within your organization.
You will create a custom group that includes Application and URL Filtering Database categories as well
as a previously defined custom site named Smirnoff.
In the Application and URL Filtering tab of SmartDashboard, open the Applications/Sites pane.
Click New > Applications/Sites Group.
Give the group a name. For example, Liability_Sites.
Add the group members:
Filter by Categories (make sure only the Categories button is selected) and select the checkboxes
of all the related categories in the Application and URL Filtering Database.
Filter by Custom (click the Categories button to clear it and select Custom) and select the custom
application.
5. Click OK.
The categories and custom site are shown in the group members list.
6. Click OK.
The group is added to the Applications/Sites list. You can now use it in the Rule Base
Destination - Internet
Applications/Sites - Liability_Sites
Action - Block
Name
Source
Destination
Applications/
Sites
Action
Track
Identified_Users
Internet
Liability_Sites
Block
Log
Getting Started
You have already created an Access Role that represents all identified users in the organization.
Destination - Internet
Action - Block
Chapter 3
Managing Application Control and
URL Filtering
In This Section:
The Policy Rule Base .............................................................................................. 17
The Application and URL Filtering Database .......................................................... 28
The Application and URL Filtering Overview Pane ................................................. 31
AppWiki ................................................................................................................... 31
GatewaysPane ........................................................................................................ 32
Applications/Sites Pane .......................................................................................... 32
Advanced Settings for Application and URL Filtering ............................................. 34
HTTPS Inspection ................................................................................................... 35
Engine Settings ....................................................................................................... 50
Application and URL Filtering and Identity Awareness ........................................... 53
Legacy URL Filtering .............................................................................................. 54
You configure Application Control and URL Filtering in SmartDashboard. SmartView Tracker shows the logs
and SmartEvent shows real-time traffic statistics and analysis. This chapter explains the Application Control
and URL Filtering configuration and management that you do in SmartDashboard.
Destination
Applications/Sites
Action
Track
Install On
Any
Internet
Any Recognized
Allow
Log
All
The result of this rule is that all application traffic is monitored. Therefore, you can see logs related to
application traffic in SmartView Tracker and SmartEvent. Use the data there to better understand the use of
applications in your environment and create an effective Rule Base.
If you enabled Identity Awareness on the Security Gateway, you will also see names of identified users in
the logs.
If you do not add other rules to the Rule Base, your Application Control Policy stays in monitor mode. This
means that you see application traffic in the logs but do not block access to applications.
If you change the default rule, for example:
You change the value in Applications/Sites from Any Recognized to a specified application,
Number (NO.)
The sequence of rules is important because the first rule that matches an application is applied.
For example, Gmail additional categories include Sends Mail, Transmits Personal or Enterprise
Information, and Instant Chat. If rule 3 allows Gmail and rule 4 blocks applications with the Instant Chat
additional category, Gmail will be allowed based on rule 3.
Hits
Hit Count tracks the number of connections that each rule matches. For each rule in the Rule Base, the Hits
column shows by default a visual indicator of matching connections together with the number of hits in K
(thousands), M (millions), G (billions), or T (trillions). You can configure to show the percentage of the rule's
hits from total hits, the indicator level (very high, high, medium, low, or zero) and set a timeframe for the data
that is shown. These options are configured from the Firewall Rule Base by right-clicking the Hits column
header or the rule number.
See Hit Count ("Analyzing the Rule Base (Hit Count)" on page 22).
Name
Give the rule a descriptive name. The name can include spaces.
Double-click in the Name column of the rule to add or change a name.
Source
The source is where the traffic originates. The default is Any.
Important - A rule that blocks traffic, with the Source and Destination parameters defined as
Any, also blocks traffic to and from the Captive Portal.
Put your mouse in the column and a plus sign shows. Click the plus sign to open the list of network objects
and select one or multiple sources. The source can be an Access Role object, which you can define when
Identity Awareness is enabled.
Destination
Choose the destination for the traffic. The default is the Internet, which includes all traffic with the
destination of DMZ or external. If you delete the destination value, the rule changes to Any, which applies to
traffic going to all destinations
Important - A rule that blocks traffic, with the Source and Destination parameters defined as
Any, also blocks traffic to and from the Captive Portal.
To choose other destinations, put your mouse in the column and a plus sign shows. Click the plus sign to
open the list of network objects and select one or multiple destinations.
Applications/Sites
The Applications/Sites column contains the applications and categories for sites and applications that you
choose to include. One rule can include multiple items and items of different types. For example, one rule
can include 2 applications and 3 categories. The default is that the rule applies to all known applications and
sites. The category on which the rule is matched is shown in the SmartView Tracker logs in the Matched
Category field.
You can also include widgets and custom defined applications, sites, categories and groups. Custom
defined items are set in SmartDashboard by the administrator and are not a part of the Application and URL
Filtering Database.
If you do not enable URL Filtering on the Security Gateway, you can use a generic web browser application
called Web Browsing.
This application includes all HTTP traffic that is not a defined application. Because Web Browsing traffic can
generate many logs, the Web browsing application has its own activation setting. You can activate Web
Browsing in Advanced > Engine Settings.
To add an item to the rule, click the checkbox in the Available list.
To see the details of an item without adding it to the rule, click the name of the Available item.
You can select an application, category, site or group to add to the rule from the Available list.
To filter the Available list by categories, applications, custom-defined items or widgets, click the buttons
in the toolbar of the viewer. The Available list shows the filtered items and then you can add items to the
rule.
To see all applications in a risk level, select the level from the Risk field in the toolbar.
If you know the name of an application or category, you can search for it. The results show in the
Available list.
To add a new category, application or site, or application or site group, use the New button.
Action
Action refers to what is done to the traffic. Click in the column to see the options and select an action to add
to the rule.
Action
Meaning
Allow
Inform
Ask
Asks the user a question and adds a confirmatory check box, or a reason box.
Block
Blocks the traffic. If no UserCheck object is defined for this action, no page is displayed.
Limit
Limits the bandwidth that is permitted for a rule. Add a Limit object ("Limit Objects" on
page 22) to configure a maximum throughput for uploads and downloads.
User Check
Frequency
Configure how often the user should see the configured message when the action is ask,
inform, or block.
Edit User Check Opens the User Check message for editing
Message
Captive Portal
Rule Actions
From the toolbar at the top of the Application Control Policy page, click the icons to
create new rules or to delete the selected rules.
If you right-click in a column of the Rule Base and select Rule Actions, a menu opens
with these options:
New Rule - Select to create a new rule Above or Below the rule that is currently
selected.
Disable Rule - The rule stays in the Rule Base but is not active.
Select All Rules - Selects all the rules and you can then choose another action to
apply to them.
View rule logs in SmartView Tracker - Opens SmartView Tracker and shows logs
related to the rule.
View rule logs in SmartEvent - Opens SmartEvent and shows logs related to the
rule.
Important - A rule that blocks traffic, with the Source and Destination parameters
defined as Any, also blocks traffic to and from the Captive Portal.
Note - The actions Block, Ask, and Inform involve the creation of UserCheck
Interaction Objects.
Track
Choose if the traffic is logged in SmartView Tracker or if it triggers other notifications. Click in the column
and the options open. The options include:
Logs:
Log - Records the event details in SmartView Tracker. This option is useful to get general
information on your network traffic. It consolidates logs by session (there is one log for each
session). It shows the initial URL browsed and the number of suppressed logs it includes.
Application Control and URL Filtering Administration Guide R77 Versions | 20
Extended Log - Consolidates logs by session, shows the number of suppressed logs and includes
data for each URL request in the session time frame. Each of the URLs has an entry in the URLs
tab of the log in SmartView Tracker. Using this option can have an effect on performance.
Complete Log - Records logs for each URL request made regardless of session. Each URL request
has its own log. This option also generates an event in SmartEvent for each URL browsed and is
intended only for troubleshooting purposes. Note that this option generates many logs.
For more about logs, see log sessions (on page 57).
Alert - Logs the event and runs a command, such as display a popup window, send an email alert or an
SNMP trap alert, or run a user-defined script as defined in Policy > Global Properties > Log and Alert
> Alert Commands.
Mail - Sends an email to the administrator, or runs the mail alert script defined in Policy > Global
Properties > Log and Alert > Alert Commands.
SNMP Trap - Sends a SNMP alert to the SNMP GUI, or runs the script defined in Policy > Global
Properties > Log and Alert > Alert Commands.
User Defined Alert - Sends one of three possible customized alerts. The alerts are defined by the
scripts specified in Policy > Global Properties > Log and Alert > Alert Commands.
Install On
Choose which Security Gateways on which the rule will be installed. The default is All, which means all
Security Gateways that have Application Control enabled. Put your mouse in the column and a plus sign
shows. Click the plus sign to open the list of available Security Gateways and select.
Time
You can add a Time object to a rule to make the rule active only during specified times. If you do not include
a Time object in a rule, the rule is always active.
You can include multiple Time objects in a rule in these ways:
When you have multiple Time objects or a Time Group, each Time object works independently. For
example, if a rule has two Time objects:
The rule is active each day from 9:00 - 17:00 and all day on Mondays. For the rule to be active from 9:00 17:00 on Mondays only, make one Time object that contains all of the criteria.
If Time objects were created from a different tab in SmartDashboard, you can also use them in the
Application Control and URL Filtering Rule Base. For example, you can create Time objects from the
Firewall Rule Base or from Manage menu > Time.
To create a new Time object from the Application Control and URL Filtering Rule Base:
1.
2.
3.
4.
In the Time column of a rule, right click and select Add Objects.
Click New and select Time.
In the General pane, enter a Name without spaces.
In the Time pane, select one or more options:
Time Period - Select a date and time when the rule starts to be active and expires.
Restrict to specific hour ranges - Select hours of the day when the rule is active.
Specify Days - Select days of the week or month when the rule is active. The default is Every Day.
Application Control and URL Filtering Administration Guide R77 Versions | 21
5. Click OK.
6. Click OK to add the object to the selected rule.
Note - The relevant time zone is that of the Security Gateway enforcing the rule. If
Security Gateways are in different time zones, they enforce the same time object rules at
different times.
Limit Objects
Use the Limit action in rules to limit the bandwidth that is permitted for a rule in the Application Control and
URL Filtering Rule Base. Configure a maximum throughput for uploads and downloads. The Limit action
makes sure that employee use of the internet does not impede important business tasks.
You can add one Limit object to a rule. It can include upload and download rates.
When the limit is reached, the gateway begins to drop packets. The Application Control logs show dropped
packets.
For each selected option, select a number and unit to define the maximum permitted bandwidth for
that action.
4. Click OK.
The Limit is added to the rule.
Note - The Security Gateway implements the Limit action by dropping successive
packets which exceed the allowed bandwidth.
These options are configured in the Firewall Rule Base and also changes how Hit Count is shown in other
supported Software Blades.
When you enable Hit Count, the Security Management Server collects the data from supported Security
Gateways (from version R75.40 and up). Hit Count works independently from logging and tracks the hits
even if the Track option is None.
You can use the Hit Count data to:
Analyze a Rule Base - You can delete rules that have no matching connections
Note - If you see a rule with a zero hit count it only means that in the Security Gateways enabled
with Hit Count there were no matching connections. There can be matching connections on other
Security Gateways.
Better Firewall performance - You can move a rule that has a high hit count to a higher position in the
Rule Base
Enable Hit Count - Select to enable or clear to disable all Security Gateways to monitor the number
of connections each rule matches.
Keep Hit Count data up to - Select one of the time range options. The default is 6 months. Data is
kept in the Security Management Server database for this period and is shown in the Hits column.
4. Click OK and then install the Policy.
Value - Shows the number of matched hits for the rule from supported Security Gateways. Connection
hits are not accumulated in the total hit count for:
K = 1,000
M = 1,000,000
G = 1,000,000,000
T = 1,000,000,000,000
For example, 259K represents 259 thousand connections and 2M represents 2 million connections.
Percentage - Shows the percentage of the number of matched hits for the rule from the total number of
matched connections. The percentage is rounded to a tenth of a percent.
Level - The hit count level is a label for the range of hits according to the table.
The hit count range = Maximum hit value - Minimum hit value (does not include zero hits)
Icon
Range
Zero
0 hits
Low
Medium
High
Very High
Percentage
Value
Level
To refresh hit count data in the Application and URL Filtering Rule Base:
Click the refresh hits button
Help users with decisions that can be dangerous to the organization security.
Share the organization changing internet policy for web applications and sites with users, in real-time.
If a UserCheck object is set as the action on a policy rule, the user browser redirects to the Administration
web portal on port 443 or 80. The portal hosts UserCheck notifications.
The UserCheck client adds the option to send notifications for applications that are not in a web browser,
such as Skype, iTunes, or browser add-ons (such as radio toolbars). The UserCheck client can also work
together with the UserCheck portal to show notifications on the computer itself when:
The UserCheck engine determines that the notification will not be shown correctly in the browser and
the Fallback Action for the UserCheck object is Allow.
For more about configuring UserCheck on the gateway and the UserCheck client, see Configuring
UserCheck (on page 62).
Application Control and URL Filtering Administration Guide R77 Versions | 24
2.
3.
4.
5.
6.
7.
Inform - Show an informative message users. Users can continue to the application or cancel the
request.
Ask - Show a message to users that asks them if they want to continue with the request or not.
Application name
Category
Username
Original URL
Source IP
Incident ID
Variables are replaced with applicable values when the (Block, Ask, Inform) action occurs and the
message shows. The Username can only be displayed if the Identity Awareness blade is enabled.
c) Use the Insert User Input variable to add a:
Wrong report category - Users can click a link to report that an incorrect category was
included in the message. Use this field with the Category variable.
8. Optional: Click Preview in browser to see the results in your default browser.
9. Click OK.
This creates the UserCheck object and web page notification for the portal.
Once a day
Once a week
Once a month
Custom
2. Select a UserCheck Scope option from the Action column of a rule in the policy. This sets if the
notifications are based on accessing the:
Example:
In a rule that contains:
Applications/Sites
Action
Languages - Set a language for the UserCheck message if the language setting in the user browser
cannot be determined or is not implemented. For example:
Fallback Action - Select an alternative action (allow or block) for when the UserCheck notification
cannot be shown in the browser or application that caused the notification. If UserCheck determines that
the notification cannot be shown in the browser or application, the behavior is:
If the Fallback Action is Allow (the default for Inform messages), the user is allowed to access the
website or application, and the UserCheck client (if installed) shows the notification.
If the Fallback Action is Block, the gateway tries to show the notification in the application that
caused the notification. If it cannot and the UserCheck client is installed, it shows the notification
through the client. The website or application is blocked, even if the user does not see the
notification.
Redirect to External Portal - Select this to redirect users to an external portal, not on the gateway.
URL - Enter the URL for the external portal. The specified URL can be an external system that
obtains authentication credentials from the user, such as a user name or password. It sends this
information to the gateway.
Add UserCheck Incident ID to the URL query - An incident ID is added to the end of the URL
query.
Conditions - Select actions that must occur before users can access the application. Select one or
more of these options:
User accepted and selected the confirm checkbox - This applies if the UserCheck message
contains a checkbox (Insert User Input > Confirm Checkbox). Users must accept the text shown
and select the checkbox before they can access the application.
User filled some textual input - This applies if the UserCheck message contains a text field (Insert
User Input > Textual Input). Users must enter text in the text field before they can access the
application. For example, you might require that users enter an explanation for use of the
application.
UserCheck Page
On the UserCheck page, you can create, edit, and preview UserCheck interaction objects and their
messages.
Item
Meaning
New
Edit
Delete
Clone
Action Type
Description
Cancel Page
Cancel
Blocked Message
Block
Access Notification
Inform
Shows when the action for the rule is inform. It informs users
what the company policy is for that site.
Company Policy
Ask
Shows when the action for the rule is ask. It informs users what
the company policy is for that site and they must click OK to
continue to the site.
Ask and Inform pages include a Cancel button that users can click to cancel the request.
For Threat Prevention and Application and URL Filtering, you can show these UserCheck message
previews:
For DLP, you can also show these UserCheck message previews:
Agent - Shows a preview of the UserCheck message in the DLP agent window.
A local database that contains commonly used URLs and their related categorization.
A local cache that gives answers to 99% of URL categorization requests. When the cache does not
have an answer, only the host name is sent to the Check Point Online Web Service for categorization.
This maintains user privacy since no user parameters are sent for the categorization procedure.
Upon rule match in the Rule Base, it is necessary to determine if the URL is an application and its related
category. To do this the Security Gateway does these steps:
1. For URL Filtering: Goes to the local cache to see if the data is already there. If the category data is not
in the cache, it checks the local database for the URL category.
For Application Control: Matches locally stored signatures.
2. For Application Control and URL Filtering: If the URL is suspected to be a widget or the category data is
not in the cache, the Security Gateway accesses the Check Point Online Web Service.
Each item has a description, a category, additional categories, and a risk level. You can include applications
and categories in your Application Control and URL Filtering rules. When you have a valid Application
Control and/or URL Filtering contract, the database is updated regularly with new applications, categories
and social networking widgets. This lets you easily create and maintain an up to date Policy.
Access the Application and URL Filtering Database from:
SmartDashboard - From the Application Control Rule Base in SmartDashboard, click the plus sign in
the Application column, and the Application viewer opens. From there you can add applications and
categories directly into the Rule Base.
AppWiki - An easy to use tool to see the Application and URL Filtering Database. Open it from the
AppWiki pane in the Application and URL Filtering tab or from the Check Point website
(http://appwiki.checkpoint.com/appwiki/applications.htm).
Application Categories
In the Application and URL Filtering Database, each application is assigned to one primary category based
on its most defining aspect. See the category in the description of each application and in the logs.
In the Application and URL Filtering Database, each application can have additional categories, which are
characteristics of the application. For example, some of the additional categories of Gmail include: Supports
File Transfer, Sends mail, and Instant Chat. If an additional category is in a rule, the rule matches all
applications that are marked with it.
Note - In the AppWiki, additional categories are called tags.
When you use the AppWiki or add applications to the Rule Base, you can filter by additional category or risk
level to see all applications with that characteristic. This is a good way to get ideas of types of applications
that you might want to block or allow.
If new applications are added to an additional category that is in an Application Control, URL Filtering, or
Threat Prevention rule, the rule is updated automatically when the database is updated.
Definition
Examples
5 - Critical
Tor, VTunnel
4 - High
3 - Medium
2- Low
1- Very Low Usually business related with no or very low risk SalesForce, Google Finance
You can filter a search based on the risk level. For example, select risk level 5 to see all applications with
that risk level. The risk level is also a tag that shows in the details of each application. This helps you to
understand which types of applications to be wary of and which are low risk.
Access the AppWiki from the Application and URL Filtering tab or from the Check Point website
(http://appwiki.checkpoint.com/appwiki/applications.htm).
To change the schedule for updates on the management server and Security Gateways:
1. Before you run the scheduled update, in the Automatic Application Updates section of the Updates
pane, select both:
Update Application and URL Filtering Database on the Security Management Server
Make sure a proxy is configured for each gateway and the Security Management Server, if necessary.
To configure a proxy:
The Advanced > Updates pane shows if the Security Management Server uses a proxy to connect to
the internet or not. Click Configure Proxy to go to the SmartDashboard page to configure the proxy for
the Security Management Server.
In a Multi-Domain Security Management environment, configure a proxy in Policy > Global Properties
> Proxy.
Open Control Panel > System and Security > System > Advanced System Settings.
Open the Advanced tab > Environment variables.
Create a new User Variable.
Set the value to: updates_over_IPv6=1.
Scheduling Updates
To change the update schedule from the default scheduled Application and URL Filtering
Database updates:
1. On the Advanced > Updates pane, under Schedule Updates, click Configure.
The Scheduled Event Properties window opens.
2. In the General page, set the Time of Event.
Select Every and adjust the setting to run the update after an interval of time.
Select At to set days of the week or month and a time of day for updates to occur:
Click Days and the Days page opens. Select the days when the update will occur. If you
select Days of week or Days of month, more options open for you to select.
3. Click OK.
If you have Security Gateways in different time zones, they will not be synchronized when one updates and
the other did not update yet.
My Organization
Shows a summary of which Security Gateways enforce Application Control and URL Filtering. It also
has a link to the Gateways pane.
Shows if a new Application and URL Filtering Database update package is available.
Shows if Security Gateways require renewed licenses or Application Control or URL Filtering contracts.
Detected in My Organization
Shows a graphical summary of the most popular applications in Top Applications, the most popular
categories in Top Categories and the most popular sites in Top Sites.
Start SmartView Tracker button - Link to open the Application Control and URL Filtering logs in
SmartView Tracker.
Start SmartEvent button - Link to open SmartEvent where you can see the traffic statistics and analysis.
Top Users
Shows a graphical summary of the most popular users who use applications the most.
Start SmartView Tracker button - Link to open the Application Control and URL Filtering logs in
SmartView Tracker.
Start SmartEvent button - Link to open SmartEvent where you can see the traffic statistics and analysis.
AppWiki
Shows current statistics of the quantities and types of Applications and Social Networking Widgets
included in the Application and URL Filtering Database.
Click the arrows to browse through the types of Social Networking Widgets.
The Security Gateway connects to the internet to get the most current AppWiki.
Make sure a proxy is configured for each gateway and the Security Management Server, if necessary.
GatewaysPane
The Gateways pane lists the gateways with Application Control and/or URL Filtering enabled. Select a
gateway and click Edit to edit the gateway properties.
For each gateway, you see the gateway name and IP address. You also see these columns:
Identity Awareness - If Identity Awareness is enabled, and if so, a summary of its Identity Awareness
status.
Update Status - If the Application and URL Filtering Database is up to date on the gateway or if an
update is necessary.
In the Application and URL Filtering Database Updates section, you can also see the status of the
Application and URL Filtering Database on the Security Management Server. A message shows if the
Management server is up to date or if a new update is available. Click Updates to go to the Updates pane.
Applications/Sites Pane
The Applications/Sites pane shows custom applications, sites, categories and groups that you defined.
Select an object in the list and click Edit to change its properties. You can use the toolbar buttons to create,
look for, delete and import objects.
You can import a customized application binary file that Check Point creates for applications not in the
Application and URL Filtering Database. This file contains a database of internal applications that are not
necessarily web-based.
For each object in the list, you see the name and type and also:
Primary Category - If the object is an application or website, this column shows the primary category
assigned to it.
Applications/Sites URLs from a file (.csv) - To upload a .csv file with URLs.
4. Click Next.
5. If you selected Applications/Sites URLs:
a) Enter a URL and click Add.
b) If you used a regular expression in the URL, click URLs are defined with regular expressions.
Note - Select the URLs are defined as Regular Expression checkbox only if the application or site
URL is entered as a regular expression using the correct syntax ("Regular Expression Syntax" on
page 76).
c) Click Next and go to step 7.
Application Control and URL Filtering Administration Guide R77 Versions | 32
Creating Categories
You can create a custom category to use in the Rule Base if there is no corresponding category.
Note - If category data in the Application and URL Filtering Database for a URL is
not applicable for your organization, you can override the categorization
("Overriding Categorization" on page 34).
Overriding Categorization
In some cases, the category data in the Application and URL Filtering Database for a URL is not applicable
for your organization. You can use the override categorization option to update the category and risk
definitions of a URL.
This definition overrides the information in the Application and URL Filtering Database and the responses
received from the Check Point Online Web Service. The Rule Base will use the newly specified
categorization when matching rules with URLs.
You can use the toolbar buttons to create, edit, search, and delete a categorization entry.
HTTPS Inspection
You can enable HTTPS traffic inspection on Security Gateways to inspect traffic that is encrypted by the
Secure Sockets Layer (SSL) protocol. SSL secures communication between internet browser clients and
web servers. It supplies data privacy and integrity by encrypting the traffic, based on standard encryption
ciphers.
However, SSL has a potential security gap. It can hide illegal user activity and malicious traffic from the
content inspection of Security Gateways. One example of a threat is when an employee uses HTTPS (SSL
based) to connect from the corporate network to internet web servers. Security Gateways without HTTPS
Inspection are unaware of the content passed through the SSL encrypted tunnel. This makes the company
vulnerable to security attacks and sensitive data leakage.
The SSL protocol is widely implemented in public resources that include: banking, web mail, user forums,
and corporate web resources.
There are two types of HTTPS inspection:
Inbound HTTPS inspection - To protect internal servers from malicious requests originating from the
internet or an external network.
Outbound HTTPS inspection - To protect an organization from malicious traffic being sent by an
internal client to a destination outside of the organization.
The Security Gateway acts as an intermediary between the client computer and the secure web site. The
Security Gateway behaves as the client with the server and as the server with the client using certificates.
All data is kept private in HTTPS Inspection logs. This is controlled by administrator permissions. Only
administrators with HTTPS Inspection permissions can see all the fields in a log. Without these permissions,
some data is hidden.
How it Operates
In outbound HTTPS inspection, when a client in the organization initiates an HTTPS connection to a secure
site, the Security Gateway:
1. Intercepts the request.
2. Establishes a secure connection to the requested web site and validates the site server certificate.
3. Creates a new SSL certificate for the communication between the Security Gateway and the client,
sends the client the new certificate and continues the SSL negotiation with it.
4. Using the two SSL connections:
a) It decrypts the encrypted data from the client.
b) Inspects the clear text content for all blades set in the Policy.
c) Encrypts the data again to keep client privacy as the data travels to the destination web server
resource.
In inbound HTTPS inspection, when a client outside of the organization initiates an HTTPS connection to a
server behind the organization's gateway, the Security Gateway:
1.
2.
3.
4.
If you created a CA certificate, you must deploy it in the Trusted Root Certification Authorities
Certificate Store on the client computers. This lets the client computers trust all certificates signed
by this certificate.
Generate an HTTPS inspection policy by defining relevant rules in the HTTPS inspection Rule Base.
Configure the conditions for dropping traffic from a web site server.
When required, you can update the trusted CA list in the Security Gateway.
Private key password - Enter the password that is used to encrypt the private key of the CA
certificate.
Valid from - Select the date range for which the CA certificate is valid.
5. Click OK.
6. Export and deploy the CA certificate ("Exporting and Deploying the Generated CA" on page 37).
Enter the password the Security Management Server uses to decrypt the CA certificate file and sign the
certificates for users. This password is only used when you import the certificate to a new Security
Management Server.
Important - After you import a certificate from another Security Management Server, make
sure to export the certificate and deploy it ("Exporting and Deploying the Generated CA" on
page 37) on the client machines if it has not already been deployed.
To import a CA certificate:
1. In SmartDashboard, right-click a Security Gateway object, select Edit > HTTPS Inspection > Import
Or
From the HTTPS Inspection > Gateways pane of a supported blade, click the arrow next to Create
Certificate and select Import certificate from file.
The Import Outbound Certificate window opens.
2. Browse to the certificate file.
3. Enter the private key password.
4. Click OK.
Set the Security Gateway for HTTPS Inspection (if it is not already configured). From Security Gateway
> HTTPS Inspection > Step 3 > Select Enable HTTPS Inspection.
Import server certificates for servers behind the organization Security Gateways ("Server Certificates" on
page 38).
Generate an HTTPS inspection policy by defining relevant rules in the HTTPS inspection Rule Base
("The HTTPS Inspection Policy" on page 39).
Make sure to configure the relevant server certificate in the HTTPS inspection Rule Base ("Certificate"
on page 42).
Server Certificates
When a client from outside the organization initiates an HTTPS connection to an internal server, the Security
Gateway intercepts the traffic. The Security Gateway inspects the inbound traffic and creates a new HTTPS
connection from the gateway to the internal server. To allow seamless HTTPS inspection, the Security
Gateway must use the original server certificate and private key.
For inbound HTTPS inspection, do these steps:
Add the server certificates to the Security Gateway - This creates a server certificate object ("Adding a
Server Certificate" on page 39).
Add the server certificate object to the Certificate column in the HTTPS Inspection Policy to enforce it in
rules ("Certificate" on page 42).
Add - Import a new server certificate. Enter a name for the server certificate, optional comment and
import the P12 certificate file.
Delete - Delete a previously added server certificate. This option does not delete the server certificate
option. It only removes it from the Server Certificate list.
Search - Enter a key word to search for a server certificate in the list.
Application Control and URL Filtering Administration Guide R77 Versions | 38
Application Control
URL Filtering
IPS
DLP
Threat Prevention
If you enable Identity Awareness on your Security Gateways, you can also use Access Role objects as the
source in a rule. This lets you easily make rules for individuals or different groups of users.
In SmartDashboard, open the Policy page from the specified blade tab:
For Application and URL Filtering, Anti-Bot, Anti-Virus, and IPS - Select Advanced > HTTPS
Inspection > Policy.
For DLP - Select Additional Settings > HTTPS Inspection > Policy.
Predefined Rule
When you enable HTTPS inspection, a predefined rule is added to the HTTPS Rule Base. This rule defines
that all HTTPS and HTTPS proxy traffic from any source to the internet is inspected on all blades enabled in
the Blade column. By default, there are no logs.
Number (No.)
The sequence of rules is important because the first rule that matches is applied.
For example, if the predefined rule inspects all HTTPS traffic from any category and the next rule bypasses
traffic from a specified category, the first rule that inspects the traffic is applied.
Name
Give the rule a descriptive name. The name can include spaces.
Double-click in the Name column of the rule to add or change a name.
Source
The source is where the traffic originates. The default is Any.
Important - A rule that blocks traffic, with the Source and Destination parameters defined as
Any, also blocks traffic to and from the Captive Portal.
Put your mouse in the column and a plus sign shows. Click the plus sign to open the list of network objects
and select one or multiple sources. The source can be an Access Role object, which you can define when
Identity Awareness is enabled.
Destination
Choose the destination for the traffic. The default is the Internet, which includes all traffic with the
destination of DMZ or external. If you delete the destination value, the rule changes to Any, which applies to
traffic going to all destinations
Important - A rule that blocks traffic, with the Source and Destination parameters defined as
Any, also blocks traffic to and from the Captive Portal.
To choose other destinations, put your mouse in the column and a plus sign shows. Click the plus sign to
open the list of network objects and select one or multiple destinations.
Services
By default, HTTPS traffic on port 443 and HTTP and HTTPS proxy on port 8080 is inspected. You can
include more services and ports in the inspection by adding them to the services list.
To select other HTTPS/HTTP services, put your mouse in the column and a plus sign shows. Click the plus
sign to open the list of services and select a service. Other services, such as SSH are not supported.
Site Category
The Site Category column contains the categories for sites and applications that users browse to and you
choose to include. One rule can include multiple categories of different types.
Important
A valid URL Filtering blade contract and license are necessary on the relevant Security
Gateways to use the Site Category column.
You can also include custom applications, sites, and hosts. You can select a custom defined application or
site object ("Creating Applications or Sites" on page 32) with the Custom button or create a new host or site
with the New button at the bottom of the page.
Application Control and URL Filtering Administration Guide R77 Versions | 40
Note - You can only use custom objects that specify the domain name or host part of a URL.
URLs that contain paths are not supported. For example, you can use an object defined as
ww.gmail.com but not www.gmail.com/myaccount.
To filter the Available list by categories or custom-defined sites, click the specified button in the toolbar
of the viewer. The Available list opens in the left column and then you can add items to the rule.
To add a category object to the rule, click the checkbox in the Available list.
To see the details of category without adding it to the rule, click the name of the item in the Available list.
You can only select a category to add to the rule from the Available list.
If you know the name of a category, you can search for it. The results will show in the Available list.
You can add a new host site with the New button.
Action
The action is what is done to the traffic. Click in the column to see the options and select one to add to the
rule.
Inspect - The traffic is inspected on the blades set in the Blades column.
Bypass - The traffic of source and destination traffic in rules that include the bypass action are not
decrypted and inspected. You can bypass HTTPS inspection for all Check Point objects. This is
recommended for Anti-Bot, Anti-Virus, URL Filtering, and IPS updates. Other HTTPS protections that
already operate on traffic will continue to work even when the HTTPS traffic is not decrypted for
inspection.
Track
Choose if the traffic is logged in SmartView Tracker or if it triggers other notifications. Click in the column
and the options open. The options include:
Log - Records the event details in SmartView Tracker. This option is useful for obtaining general
information on your network traffic. There is one or more log for each session depending on the
suppression option.
Alert - Logs the event and executes a command, such as display a popup window, send an email alert
or an SNMP trap alert, or run a user-defined script as defined in Policy > Global Properties > Log and
Alert > Alert Commands
Application Control and URL Filtering Administration Guide R77 Versions | 41
Mail - Sends an email to the administrator, or runs the mail alert script defined in Policy > Global
Properties > Log and Alert > Alert Commands
SNMP Trap - Sends a SNMP alert to the SNMP GUI, or runs the script defined in Policy > Global
Properties > Log and Alert > Alert Commands
User Defined Alert - Sends one of three possible customized alerts. The alerts are defined by the
scripts specified in Policy > Global Properties > Log and Alert > Alert Commands
Blade
Choose the blades that will inspect the traffic. Click in the column and the options open. The options include:
Application Control
IPS
URL Filtering
Anti-Virus
Anti-Bot
Important - The blade options you see are based on the blade contracts and licenses in your
organization.
Install On
Choose which Security Gateways the rule will be installed on. The default is All, which means all Security
Gateways that have HTTPS inspection enabled. Put your mouse in the column and a plus sign shows. Click
the plus sign to open the list of available Security Gateways and select.
Certificate
Choose the certificate that is applicable to the rule. The Security Gateway uses the selected certificate for
communication between the Security Gateway and the client.
For outbound HTTPS inspection - choose the Outbound Certificate object (default) that reflects the
CA certificate you created/imported and deployed on the client machines in your organization.
For inbound HTTP inspection - choose the server certificate applicable to the rule. Put your mouse in
the column and a plus sign shows. Click the plus sign to open the list of available server certificates and
select one. When there is a match to a rule, the Security Gateway uses the selected server certificate to
communicate with the source client. You can create server certificates from HTTPS Inspection >
Server Certificates > Add.
Gateways Pane
The Gateways pane lists the gateways with HTTPS Inspection enabled. Select a gateway and click Edit to
edit the gateway properties. You can also search, add and remove Security Gateways from here.
For each gateway, you see the gateway name, IP address and comments.
In the CA Certificate section, you can renew the certificate validity date range if necessary and export it for
distribution to the organization client machines.
If the Security Management Server managing the selected Security Gateway does not have a generated CA
certificate installed on it, you can add it with Import certificate from file. There are two options:
You can import a CA certificate from another Security Management Server. Before you can import it,
you must first export ("Exporting a Certificate from the Security Management Server" on page 37) it from
the Security Management Server on which it was created.
3.
4.
5.
6.
Saving a CA Certificate
You can save a selected certificate in the trusted CAs list to the local file system.
To export a CA certificate:
1. In SmartDashboard, open HTTPS Inspection > Trusted CAs.
2. Click Actions > Export to file.
3. Browse to a location, enter a file name and click Save.
A CER file is created.
HTTPS Validation
Server Validation
When a Security Gateway receives an untrusted certificate from a web site server, the settings in this
section define when to drop the connection.
Untrusted server certificate
When selected, traffic from a site with an untrusted server certificate is immediately dropped. The user gets
an error page that states that the browser cannot display the webpage.
When cleared, a self-signed certificate shows on the client machine when there is traffic from an untrusted
server. The user is notified that there is a problem with the website's security certificate, but lets the user
continue to the website (default).
Revoked server certificate (validate CRL)
When selected, the Security Gateway validates that each server site certificate is not in the Certificate
Revocation List (CRL) (default).
If the CRL cannot be reached, the certificate is considered trusted (this is the default configuration). An
HTTPS Inspection log is issued that indicates that the CRL could not be reached. This setting can be
changed with GuiDBedit. Select Other > SSL Inspection > general_confs_obj and change the attribute
drop_if_crl_cannot_be_reached from false to true.
To validate the CRL, the Security Gateway must have access to the internet. For example, if a proxy server
is used in the organizational environment, you must configure the proxy for the Security Gateway.
When cleared, the Security Gateway does not check for revocations of server site certificates.
Important - Make sure that there is a rule in the Rule Base that allows outgoing HTTP
from the Security Gateway.
Expired server certificate
When selected, the Security Gateway drops the connection if the server certificate has expired.
When cleared, the Security Gateway creates a certificate with the expired date. The user can continue
to the website (default).
Alert - Logs the event and executes a command, such as shows a popup window, send an email alert
or an SNMP trap alert, or run a user-defined script as defined in Policy > Global Properties > Log and
Alert > Alert Commands
Mail - Sends an email to the administrator, or runs the mail alert script defined in Policy > Global
Properties > Log and Alert > Alert Commands
SNMP Trap - Sends an SNMP alert to the SNMP GUI, or runs the script defined in Policy > Global
Properties > Log and Alert > Alert Commands
User Defined Alert - Sends one of three possible customized alerts. The alerts are defined by the
scripts specified in Policy > Global Properties > Log and Alert > Alert Commands
When selected, intermediate CA certificates issued by trusted root CA certificates that are not part of the
certificate chain are automatically retrieved using the information on the certificate (default).
When cleared, a web server certificate signed by an intermediate CA and not sent as part of the
certificate chain, is considered untrusted.
Certificate Blacklisting
You can create a list of certificates that are blocked. Traffic from servers using the certificates in the blacklist
will be dropped. If a certificate in the blacklist is also in the Trusted CAs list, the blacklist setting overrides
the Trusted CAs list.
Add - Lets you add a certificate. Enter the certificate serial number (in hexadecimal format HH:HH) and
a comment that describes the certificate.
Choose if the dropped traffic is logged in SmartView Tracker or if it triggers other notifications. The options
include:
Alert - Logs the event and executes a command, such as shows a popup window, send an email alert
or an SNMP trap alert, or run a user-defined script as defined in Policy > Global Properties > Log and
Alert > Alert Commands
Mail - Sends an email to the administrator, or runs the mail alert script defined in Policy > Global
Properties > Log and Alert > Alert Commands
SNMP Trap - Sends an SNMP alert to the SNMP GUI, or runs the script defined in Policy > Global
Properties > Log and Alert > Alert Commands
User Defined Alert - Sends one of three possible customized alerts. The alerts are defined by the
scripts specified in Policy > Global Properties > Log and Alert > Alert Commands
Troubleshooting
Secure connections between a client and server with no traffic create logs in SmartView Tracker labeled as
"Client has not installed CA certificate". This can happen when an application or client browser fails to
validate the server certificate. Possible reasons include:
The generated CA was not deployed on clients ("Exporting and Deploying the Generated CA" on page
37).
The DN in the certificate does not match the actual URL (for example, when you browse to
https://www.gmail.com, the DN in the certificate states mail.google.com).
Applications (such as Firefox and anti-viruses) that use an internal trusted CA list (other than Windows).
Adding the CA certificate to the Windows repository does not solve the problem.
When selected, logs are recorded for secure connections between a client and server with no traffic in
SmartView Tracker (default). Logs are recorded only when a server certificate is trusted by the Security
Gateway. If the server certificate is untrusted, a self-signed certificate is created and always results in a
log labeled as "Client has not installed CA certificate".
When cleared, logs are not recorded for secure connections without traffic that can be caused by not
installing the CA certificate on clients or one of the above mentioned reasons.
HTTP/HTTPS Proxy
You can configure a gateway to be an HTTP/HTTPS proxy. When it is a proxy, the gateway becomes an
intermediary between two hosts that communicate with each other. It does not allow a direct connection
between the two hosts.
Each successful connection creates two different connections:
One connection between the client in the organization and the proxy.
Proxy Modes
Two proxy modes are supported:
Transparent - All HTTP traffic on specified ports and interfaces is intercepted and sent to a proxy. No
configuration is required on the clients.
Non Transparent - All HTTP/HTTPS traffic on specified ports and interfaces directed to the gateway is
sent to a proxy. Configuration of the proxy address and port is required on client machines.
Access Control
You can configure one of these options for forwarding HTTP requests:
All Internal Interfaces - HTTP/HTTPS traffic from all internal interfaces is forwarded by proxy.
Specific Interfaces - HTTP/HTTPS traffic from interfaces specified in the list is forwarded by proxy.
Ports
By default, traffic is forwarded only on port 8080. You can add or edit ports as required.
Advanced
By default, the HTTP header contains the Via proxy related header. You can remove this header with the
Advanced option.
Application Control and URL Filtering Administration Guide R77 Versions | 46
You can also use the Advanced option to configure the X-Forward-For header that contains the IP address
of the client machine. It is not added by default because it reveals the internal client IP.
Logging
The Security Gateway opens two connections, but only the Firewall blade can log both connections. Other
blades show only the connection between the client and the gateway. The Destination field of the log only
shows the gateway and not the actual destination server. The Resource field shows the actual destination.
Specific Interfaces - Click the plus sign to add specified interfaces or the minus sign to remove an
interface.
5. To enter more ports on which to forward traffic, select Add.
6. To include the actual source IP address in the HTTP header, select Advanced > X-Forward-For
header (original client source IP address).
The X-Forward-For header must be configured if traffic will be forwarded to Identity Awareness Security
Gateways that require this information for user identification.
7. Click OK.
SecurePlatform WebUI
Gaia WebUI
DLP portal
UserCheck portal
All of these portals can resolve HTTPS hosts to IPv4 and IPv6 addresses over port 443.
These portals (and HTTPS inspection) support the latest versions of the TLS protocol. In addition to SSLv3
and TLS 1.0 (RFC 2246), the Security Gateway supports:
Support for TLS 1.1 and TLS 1.2 is enabled by default but can be disabled in SmartDashboard (for webbased portals) or GuiDBedit (for HTTPS Inspection).
Application Control
URL Filtering
IPS
DLP
Anti-Virus
Anti-Bot
All - Shows all HTTPS traffic that matched the HTTPS Inspection policy and was configured to be
logged.
Action values include rejected or detected. The actions are determined by the SSL validation
settings ("HTTPS Validation" on page 44) for HTTPS Inspection.
Blade Queries
When applying HTTPS Inspection to a specified blade:
There is an HTTPS Inspection predefined query for each of the blades that can operate with HTTPS
Inspection. The query shows all traffic of the specified blade that passed through HTTPS inspection.
The log in the blade queries includes an HTTP Inspection field. The field value can be inspect or
bypass. If the traffic did not go through HTTPS inspection, the field does not show in the log.
Application Control
URL Filtering
IPS
DLP
Anti-Virus
Blade queries
Go to Events > Predefined > HTTPS Inspection > HTTPS Validation to shows the SSL validation
events that occurred.
The Details and Summary tabs in the event record show if the traffic was detected or rejected due to
SSL Validation settings.
Blade Queries
There is an HTTPS Inspection predefined query for each of the blades that can operate with HTTPS
Inspection. The query shows all traffic of the specified blade that passed through HTTPS inspection.
The Summary tab in the event record in the blade queries includes an HTTPS Inspection field. The
field value can be inspect or bypass. If the traffic did not go through HTTPS inspection, the field does not
show in the event record.
Engine Settings
On the Advanced > Engine Settings pane, configure settings related to engine inspection, the Check Point
Online Web Service, Application Control and URL Filtering sessions, and compatibility with gateways from
lower versions (Web Browsing application and session unification).
Fail Mode
Select the behavior of the Application Control and URL Filtering engine, if it is overloaded or fails during
inspection. For example, if the application inspection is terminated in the middle for any reason. By default,
in such a situation all application and site traffic is blocked.
Allow all requests (Fail-open) - All traffic is allowed in a situation of engine overload or failure.
Block all requests (Fail-close) - All traffic is blocked in a situation of engine overload or failure
(default).
When selected, requests are blocked when there is no connectivity to the Check Point Online Web
Service.
Website categorization mode - You can select the mode that is used for website categorization:
Background - requests are allowed until categorization is complete - When a request cannot be
categorized with a cached response, an uncategorized response is received. Access to the site is
allowed. In the background, the Check Point Online Web Service continues the categorization
procedure. The response is then cached locally for future requests (default). This option reduces
latency in the categorization procedure.
Hold - requests are blocked until categorization is complete - When a request cannot be
categorized with the cached responses, it remains blocked until the Check Point Online Web
Service completes categorization.
Custom - configure different settings depending on the service - Lets you set different modes
for URL Filtering and Social Networking Widgets. For example, click Customize to set URL Filtering
to Background mode and Social Networking Widgets to Hold mode.
When selected, the Security Gateway connects to the Check Point Online Web Service to identify
social networking widgets that it does not recognize (default).
When cleared or there is no connectivity between the Security Gateway and the Check Point Online
Web, the unknown widget is treated as Web Browsing traffic.
Application Control and URL Filtering Administration Guide R77 Versions | 50
URL Filtering
You can enable these URL Filtering features:
Trusted
The Domain Name is extracted from the certificate and used to categorize the site
Not Trusted
The site is categorized according to IP address
Before extracting the Domain Name from the server certificate, the certificate is validated by checking it
against the:
Trusted CAs page to make sure the certificate is not stolen or revoked.
If your company issues certificates, you must add the company Certificate Authority to the list of Trusted
CAs.
HTTPS Validation page. If the certificate is blacklisted, for example, it is not trusted and the site
categorized according to its IP address.
Important
The Categorize HTTPS sites option does not run if HTTPS Inspection is enabled.
If there is a proxy between the destination site and the Firewall (or the Firewall
functions as a proxy), the site URL is extracted from the SSL CONNECT request the
client sends to the Proxy.
Fine tuning
Categorizing HTTPS sites according to DN can be fine-tuned by editing these properties in GuiDBedit:
urlf_ssl_cn_enc_http_services_only
Value
Meaning
False
True
The Security Gateway listens for SSL signatures only on those ports specified by
the enc_http services property.
New enc_http services can be added to any port by creating a new service in
SmartDashboard.
urlf_ssl_cn_max_server_hello_size
The maximum size of the certificate in bytes.
urlf_ssl_cn_wstlsd_ttl
The maximum amount of time to wait while the DN is being extracted from a certificate. After the default
value expires, the IP address is used to categorize the site. The default value (10 seconds) is a Check
Point internal attribute. We do not recommend that you change it.
Connection Unification
Application and URL traffic generate a large quantity of logs. To make the quantity of logs manageable, you
can consolidate logs by session. A session is a period that starts when the user first accesses an application
or site. During a session, the Security Gateway records one log for each application or site that a user
browses to. All actions that the user does in the session are included in the log.
There are 3 tracking options you can use:
Log - Records the event details in SmartView Tracker. This option is useful to get general
information on your network traffic. It consolidates logs by session (there is one log for each
session). It shows the initial URL browsed and the number of suppressed logs it includes.
Extended Log - Consolidates logs by session, shows the number of suppressed logs and includes
data for each URL request in the session time frame. Each of the URLs has an entry in the URLs
tab of the log in SmartView Tracker. Using this option can have an effect on performance.
Complete Log - Records logs for each URL request made regardless of session. Each URL request
has its own log. This option also generates an event in SmartEvent for each URL browsed and is
intended only for troubleshooting purposes. Note that this option generates many logs.
For applications and sites that are allowed in the Rule Base, the default session is three hours (180
minutes). To change this, click Session Timeout and enter a different value, in minutes.
For applications and sites that are blocked in the Rule Base, a session is 30 seconds. You cannot
change this in SmartDashboard.
Web Browsing
Enable Web Browsing logging and policy enforcement - The Web Browsing application includes all
HTTP traffic that is not a defined application. Web Browsing is enabled by default. If you disable it:
Instances of the Web Browsing in the Application and URL Filtering Control Rule Base are not enforced.
For example, if you have a rule that blocks Web Browsing, this traffic will not be blocked if Web
Browsing is turned off.
Session Unification - Unify connections from the same user/IP to a specific domain into a single
session/log
When selected, all application or site traffic during a session is combined into one log (default).
When cleared (default), all Web Browsing connections from a user or IP address during a session
are combined into one log.
When selected, the Web Browsing application generates one log for each domain that a user or IP
address browses to for each session.
Application Control and URL Filtering Administration Guide R77 Versions | 52
Use Identity Awareness Access Roles in Application and URL Filtering rules as the source of the rule.
You can use all the types of identity sources to acquire identities of users who try to access applications.
In SmartView Tracker logs and SmartEvent events, you can see which user and IP address accesses which
applications. For more details, see the R77 Identity Awareness Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=24805).
If it matches an access role, the rule is enforced and traffic is allowed or blocked based on the
specified action.
If it does not match an access role, it goes on to examine the next rule.
All rule fields match besides the source field with an access role.
When the criteria do not match any of the rules in the Rule Base, the traffic is allowed.
No.
Source
Destination
Service
Applications/Sites
Action
Finance_Dept
(Access Role)
Internet
Any
Salesforce
Allow
(display Captive
Portal)
Any_identified_user
(Access Role)
Internet
Any
Allow
Any_identified_user
(Access Role)
Internet
Any
Any recognized
Block
To enable Legacy URL Filtering on Security Gateway versions earlier than R75.20:
1. On the Firewall tab, double-click the required Security Gateway network object.
2. Select Other > More Settings > Enable Legacy URL Filtering.
3. Click OK.
Terminology
The following terms are used in URL Filtering applications:
Allow List: A list of allowed URL addresses, for example, a URL in the Allow List is allowed even if it is
associated with a category that is blocked.
Block List: A list of blocked URL addresses, for example, a URL in the Block List is blocked even if it is
associated with a category that is not blocked.
Blocking Notifications: Contains the message that appears when a URL address is blocked and the
URL to which a blocked URL address is redirected.
Category: Contains a group of topics sharing a common attribute (for example, crime, education and
games.
Network Exceptions: Contains a list of connections for which URL Filtering should not be enforced.
Web Filter: Enables you to allow or block URLs based on network connections and/or an external
categorized database and local exception lists.
Architecture
When a URL request arrives at a local machine, the machine checks the Network Exceptions List to
determine whether to enforce the URL Filtering policy. The URL Filtering policy is activated if the connection
is accepted by the Security Policy. If the URL Filtering policy is enforced, the URL header is stripped and the
address is sent to the Web Filter engine.
The URL is allowed or blocked based on URL request information in the predefined database and/or the
Web Filter Allow/Block Lists. For example, if the URL address matches two or more categories, and one of
them is blocked, the URL address is denied, however, if the same address appears in the Allow List it is
accepted.
The Web Filter engine is installed on the Security Gateway and the categories are updated by selecting:
SmartDashboard > Anti-Virus & URL Filtering > URL Filtering > URL Filtering Policy.
Important - During installation of the Web Filter engine, no default database is installed;
therefore, the Web Filtering policy is not enforced until a signature update is performed.
The first update may take a long time, depending on your environment. Subsequent updates
should take significantly less time, as only incremental information is downloaded.
On: URL Filtering is active and URLs associated with blocked categories are blocked. To
activate URL Filtering, you must configure automatic updates of the URL Filtering database.
To configure automatic updates, click the Automatic updates link. URL Filtering will not
work if automatic updates have not been configured.
Monitor: URLs associated with blocked categories are logged and not blocked.
Off: URL Filtering is off and does not inspect URL addresses.
b) In the Enforcing Gateways window, select the Security Gateways for which you want to activate
URL Filtering. This window contains all of the Security Gateways for which URL Filtering can and
has been enforced.
A green icon indicates that URLs associated with this category are allowed.
A red icon indicates that URLs associated with this category are blocked.
d) In the Tracking section, select how to track a detected URL address. All options other than None
generate a log record in SmartView Tracker.
4. Select Advanced > Allow URLs/IPs to add a URL or IP address to be allowed even if it is associated
with a blocked category.
5. Select Advanced > Block URLs/IPs to add a URL or IP address to be blocked even if it is associated
with an allowed category.
6. Select Advanced > Network Exceptions to create a list of the networks connections through which
traffic should not be inspected or in order to enforce URL Filtering on all Web traffic. Network
Exceptions works according to a source and destination Rule Base and does not use the URL Filtering
engine.
7. Select Advanced > Blocking Notifications to notify the user when the URL request is blocked. Choose
one of the options:
Enter the message to be displayed when a URL address is blocked according to the URL Filtering
Policy.
Chapter 4
Application Control and URL Filtering
in SmartView Tracker
In This Section:
Log Sessions........................................................................................................... 57
Application Control and URL Filtering Logs ............................................................ 57
Viewing Logs ........................................................................................................... 58
Log Sessions
Application traffic generates a very large amount of activity. To make sure that the amount of logs is
manageable, by default, logs are consolidated by session. A session is a period that starts when a user first
accesses an application or site. During a session, the Security Gateway records one log for each application
or site that a user accesses. All activity that the user does within the session is included in the log.
To see the number of connections made during a session, see the Suppressed Logs field of the log in
SmartView Tracker.
In SmartEvent the number of connections during the session is in the Total Connections field of the Event
Details.
Session duration for all applications or sites, including Web Browsing:
For applications or sites that are allowed in the Rule Base, the default session is three hours. You can
change this in SmartDashboard from the Application and URL Filtering tab > Advanced > Engine
Settings > Session Timeout.
For applications or sites that are blocked in the Rule Base, a session is 30 seconds.
Each Application Control and URL Filtering rule in the Rule Base - sets logs for the traffic. These can be
regular logs, extended logs or complete logs:
Log - Records the event details in SmartView Tracker. This option is useful to get general
information on your network traffic. It consolidates logs by session (there is one log for each
session). It shows the initial URL browsed and the number of suppressed logs it includes.
Extended Log - Consolidates logs by session, shows the number of suppressed logs and includes
data for each URL request in the session time frame. Each of the URLs has an entry in the URLs
tab of the log in SmartView Tracker. Using this option can have an effect on performance.
Complete Log - Records logs for each URL request made regardless of session. Each URL request
has its own log. This option also generates an event in SmartEvent for each URL browsed and is
intended only for troubleshooting purposes. Note that this option generates many logs.
Note - For versions earlier than R75.20, the logging option that you select for
Session Unification on the Advanced > Engine Settings > Settings page - sets
logging options for the Web Browsing application.
Logs related to Application and URL Filtering Database updates on the Security Gateway are in Application
Control > System Logs.
Logs related to Application and URL Filtering Database updates on the management are in the
Management tab.
Viewing Logs
To open SmartView Tracker do one of these:
From the Application and URL Filtering Overview pane > Detected in My Organization, click
SmartView Tracker.
From the SmartDashboard toolbar of any SmartConsole application, select Window > SmartView
Tracker or press Control +Shift +T.
Predefined Queries
There are multiple predefined queries in Predefined > Network Security Blades > Application and URL
Filtering. You can filter the queries to focus on logs of interest.
All - Shows all Application Control and URL Filtering traffic, including allowed and blocked.
More > Bandwidth Consuming - Shows logs from traffic that has the High Bandwidth tag.
More > HTTPS Inspection - Shows all Application Control and URL Filtering traffic that passed through
HTTPS inspection.
More > System - Shows logs related to Application and URL Filtering Database updates and other
system related issues. This includes logs related to problems that the application detection service might
encounter.
Chapter 5
Application Control and URL Filtering
in SmartEvent
In This Section:
Event Analysis in SmartEvent or SmartEvent Intro ................................................ 60
Browse Time ........................................................................................................... 60
Viewing Information in SmartEvent ......................................................................... 61
Real-time and historical graphs and reports of application and site traffic.
SmartEvent shows information for all Software Blades in the environment. SmartEvent Intro shows
information for one SmartEvent Intro mode. If you select Application and URL Filtering as the SmartEvent
Intro Mode, it shows the Application Control and URL Filtering information.
To use SmartEvent or SmartEvent Intro, you must enable it on the Security Management Server or on a
dedicated machine. See the R77 SmartEvent Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=24812).
Browse Time
The Browse Time feature keeps track of the total time that users are connected to different sites and
applications. R76 and later Security Gateways calculate the cumulative connection time for each session
and periodically updates this value until the session is closed.
Total browse time is calculated for each site from the first HTTP request to the last HTTP response. Idle
time of more than two minutes is not included in the browse time.
The minimum calculated time is two minutes. Any connection of less than two minutes is rounded up to
two minutes. However, browse time for each user does not include time spent at more than one site
simultaneously. For example, if a user connects to google.com and facebook.com at the same time, only
one site is included in the browse time calculation.
From the Application and URL Filtering Overview pane > Detected in My Organization, click More
graphs.
From the SmartDashboard toolbar of any SmartConsole application, select Window > SmartEvent or
press Control +Shift +A.
When SmartEvent opens, go to Events > Predefined > Application and URL Filtering to use the
predefined queries for Application Control and URL Filtering. Events are grouped by the number of
megabytes used.
All - Shows all Application Control and URL Filtering events, includes allowed and blocked events.
More > Applications - Shows all Application Control events, includes allowed and blocked events.
More > Sites - Shows all URL Filtering events, includes allowed and blocked events.
More > By User - Shows events according to the name of the user.
More > By Rule Name - Shows events by the name of the Application Control or URL Filtering rule that
applies to them.
More > Social Networking - Shows events with Application Control social networking categories. By
default, these include: Facebook widgets, LinkedIn widgets, MySpace widgets, Ning.com widgets, Orkut
widgets, and Social Networking.
More > HTTPS Inspection - Shows Application Control and URL Filtering events that passed through
HTTPS inspection.
Chapter 6
Configuring UserCheck
In This Section:
Configuring the Security Gateway for UserCheck .................................................. 62
UserCheck CLI ........................................................................................................ 63
Revoking Incidents .................................................................................................. 64
If users connect to the Security Gateway remotely, make sure that the Security Gateway internal interface
(in the Topology page) is the same as the Main URL for the UserCheck portal.
If you are using internal encrypted traffic, add a new rule to the Firewall Rule Base. This is a sample rule:
Source
Destination
VPN
Service
Action
Any
Security Gateway on which UserCheck client is enabled Any Traffic UserCheck Accept
Note - When you enable UserCheck on an IP appliance, make sure to set the Voyager
management application port to a port other than 443 or 80.
The Main URL field contains an IP address and not a DNS name.
You change a gateway's IPv4 address to IPv6 or vice versa.
Configuring UserCheck
5. In the Certificate area, click Import to import a certificate that the portal uses to authenticate to the
server.
By default, the portal uses a certificate from the Check Point Internal Certificate Authority (ICA). This
might generate warnings if the user browser does not recognize Check Point as a trusted Certificate
Authority. To prevent these warnings, import your own certificate from a recognized external authority.
6. In the Accessibility area, click Edit to configure interfaces on the Security Gateway through which the
portal can be accessed. These options are based on the topology configured for the Security Gateway.
Users are sent to the UserCheck portal if they connect:
According to the Firewall Policy. Select this option if there is a rule that states who can access the
portal.
7. Click OK.
8. Install the Policy.
UserCheck CLI
You can use the usrchk command in the gateway command line to show or clear the history of UserCheck
objects.
Description
Syntax
Parameters
usrchk
usrchk [debug] [hits]
Parameter
debug
hits
Description
Controls debug messages
Shows user incident options:
list - Options to list user incidents
Configuring UserCheck
Examples:
To show all UserCheck interaction objects, run: usrchk hits list all
To clear the incidents for a specified user, run: usrchk hits clear user <username>
Notes:
You can only run a command that contains user <username> if:
To run a command that contains a specified UserCheck interaction object, first run usrchk hits
list all to see the names of the interaction objects. Use the name of the interaction object as it is
shown in the list.
Revoking Incidents
The Revoke Incidents URL can revoke a user's responses to UserCheck notifications. The URL is:
://<IP of gateway>/UserCheck/RevokePage
If users regret their responses to a notification and contact their administrator, the administrator can send
users the URL.
After a user goes to the URL, all of the user's responses to notifications are revoked. The logs in SmartView
Tracker will show the user's activity, and that the actions were revoked afterwards.
Administrators can use the usrchk command of the CLI to revoke incidents for one user, all users, or a
specified interaction object ("UserCheck CLI" on page 63).
Chapter 7
UserCheck Client
In This Section:
UserCheck Client Overview .................................................................................... 65
UserCheck Requirements ....................................................................................... 65
Enabling UserCheck Client ..................................................................................... 65
Client and Gateway Communication ...................................................................... 66
Getting the MSI File ................................................................................................ 71
Distributing and Connecting Clients ........................................................................ 72
Helping Users.......................................................................................................... 73
The UserCheck engine determines that the notification will not be shown correctly in the browser and
the Fallback Action for the UserCheck object is Allow.
Configure how the clients communicate with the gateway and create trust with it.
Enable UserCheck and the UserCheck client on the gateway.
Download the UserCheck client MSI file.
Install the UserCheck client on the endpoint computers.
Make sure that the UserCheck clients can connect to the gateway and receive notifications.
UserCheck Requirements
See UserCheck Client Requirements in the R77 Release Notes
(http://supportcontent.checkpoint.com/documentation_download?ID=24827).
UserCheck Client
File name based server configuration If no other method is configured (default, out-of-the-box
situation), all UserCheck clients downloaded from the portal are renamed to have the portal machine IP
address in the filename. During installation, the client uses this IP address to connect to the gateway.
Note that the user has to click Trust to manually trust the server.
AD based configuration If client computers are members of an Active Directory domain, you can
deploy the server addresses and trust data using a dedicated tool.
DNS SRV record based server discovery Configure the server addresses in the DNS server. Note
that the user has to click Trust to manually trust the server.
Remote registry All of the client configuration, including the server addresses and trust data reside in
the registry. You can deploy the values before installing the client (by GPO, or any other system that lets
you control the registry remotely). This lets you use the configuration when the client is first installed.
Option Comparison
Requires
AD
Manual
User Trust
(one time)
Required?
MultiSite
Client
Still works Level
Remains after
Signed? Gateway
Changes
Recommended for...
File
name
based
No
Yes
No
Yes
No
Very
Simple
AD
based
Yes
No
Yes
Yes
Yes
Simple
Deployments with AD
that you can modify
UserCheck Client
DNS
based
Requires
AD
Manual
User Trust
(one time)
Required?
MultiSite
No
Yes
Partially Yes
(per DNS
server)
Yes
Yes
Yes
Remote No
registry
No
Client
Still works Level
Remains after
Signed? Gateway
Changes
Yes
Simple
Recommended for...
Deployments without AD
With an AD you cannot
change, and a DNS that
you can change
Moderate
Users must manually make sure that the trust data is valid because the file name can easily be changed.
UserCheck Client
Welcome - Describes the tool and lets you enter different credentials that are used to access the AD.
Server configuration Configure which Security Gateway the client connects to, based on its location.
Trusted gateways View and change the list of fingerprints that the Security Gateways consider
secure.
3.
4.
5.
6.
UserCheck Client
When the tool matches a rule, it uses the servers shown in the rule, according to the priority specified.
Trusted Gateways
The Trusted Gateways window shows the list of servers that are trusted - no messages open when users
connect to them.
You can add, edit or delete a server. If you have connectivity to the server, you can get the name and
fingerprint. Enter its IP address and click Fetch Fingerprint in the Server Trust Configuration window. If
you do not have connectivity to the server, enter the same name and fingerprint that is shown when you
connect to that server.
UserCheck Client
Note - If you configure AD based and DNS based configuration, the results are
combined according to the specified priority (from the lowest to highest).
UserCheck Client
Remote Registry
If you have a way to deploy registry entries to your client computers, for example, Active Directory or GPO
updates, you can deploy the Security Gateway addresses and trust parameters before you install the clients.
Clients can then use the deployed settings immediately after installation.
UserCheck Client
If DLP and Application and URL Filtering are enabled on the Security Gateway, you can get the MSI file
from the Data Loss Prevention page or the UserCheck page.
Important - Before you can download the client msi file, the UserCheck portal must be up. The
portal is up only after a Policy installation.
We recommend that you let the users know this will happen.
We recommend that you use a server certificate that is trusted by the certificate authority installed on users'
computers. Then users do not see a message that says: Issued by unknown certificate authority.
If UserCheck for DLP is enabled on the gateway, users are required to enter their username and password
after the client installs.
Example of message to users about the UserCheck client installation (for DLP:
Dear Users,
Our company has implemented a Data Loss Prevention automation to protect our
confidential data from unintentional leakage. Soon you will be asked to
verify the connection between a small client that we will install on your
computer and the computer that will send you notifications.
This client will pop up notifications if you try to send a message that
contains protected data. It might let you to send the data anyway, if you are
sure that it does not violate our data-security guidelines.
When the client is installed, you will see a window that asks if you trust
the DLP server. Check that the server is SERVER NAME and then click Trust.
In the next window, enter your username and password, and then click OK.
UserCheck Client
Note - If the UserCheck client is not connected to the gateway, the behavior is as if
the client was never installed. Email notifications are sent for SMTP incidents and
the Portal is used for HTTP incidents.
SmartDashboard Configuration
1. Open SmartDashboard.
2. Click Users and Administrators in the bottom part of the navigation tree and select an existing user or
create a new user.
3. In the General Properties page of the user, make sure that an email address is defined.
4. In the Authentication Properties page of the user, set Authentication Scheme to Check Point
Password and enter the password and password confirmation.
5. Click OK.
Helping Users
If users require assistance to troubleshoot issues with the UserCheck client, you can ask them to send you
the logs.
Chapter 8
Setting up a Mirror Port
In This Section:
Technical Requirements ......................................................................................... 74
Configuring a Mirror Port ......................................................................................... 74
You can configure a mirror port on a Check Point gateway to monitor and analyze network traffic with no
effect on your production environment. The mirror port duplicates the network traffic and records the activity
in logs.
You can use mirror ports:
As a permanent part of your deployment, to monitor the use of applications in your organization.
As an evaluation tool to see the capabilities of the Application Control and IPS blades before you decide
to purchase them.
The mirror port does not enforce a Policy and therefore you can only use it to see the monitoring and
detecting capabilities of the blades.
Benefits of a mirror port include:
Technical Requirements
You can configure a mirror port on gateways with:
HTTPS inspection
Clusters
Legacy User Authority features - you cannot have Authentication (Client, Session, or User) in the Action
column of the Firewall Rule Base.
Open SmartView Tracker. You should see traffic of the blade you enabled.
Appendix A
Regular Expressions
In This Appendix
Regular Expression Syntax ..................................................................................... 76
Using Non-Printable Characters ............................................................................. 77
Using Character Types ........................................................................................... 77
Name
Description
Backslash
escape metacharacters
non-printable characters
character types
[]
Square Brackets
()
Parenthesis
{min[,max]}
Curly Brackets
min/max quantifier
{n} - exactly n occurrences
{n,m} - from n to m occurrences
{n,} - at least n occurrences
Dot
Question Mark
Asterisk
Plus Sign
Vertical Bar
alternative
Circumflex
Dollar
hyphen
When using regular expressions, the asterisk is a metacharacter that means zero or more instances of
the preceding character.
When not using regular expressions, the asterisk is a wildcard, for any character, zero or more number
of instances.
For example, to block any domain that ends with "example.com" (such as www.example.com)
For a regular expression enter: .*\.example\.com
For a wildcard enter: *.example.com
Application Control and URL Filtering Administration Guide R77 Versions | 76
Regular Expressions
Description
\a
\cx
\e
\f
\n
\r
\t
\ddd
\xhh
Description
\d
\D
\s
\S
\w
\W
Index
A
Action 20, 41
Active Directory Based Configuration 68
Adding a New Host Site 41
Adding a Server Certificate 39
Adding Trusted CAs for Outbound HTTPS
Inspection 43
Advanced Settings for Application and URL
Filtering 34
Analyzing the Rule Base (Hit Count) 22
Application 7
Application and URL Filtering and Identity
Awareness 53
Application Categories 28
Application Control 7
Application Control and URL Filtering in
SmartEvent 60
Application Control and URL Filtering in
SmartView Tracker 57
Application Control and URL Filtering Licensing
and Contracts 10
Application Control and URL Filtering Logs 57
Application Control Backwards Compatibility
52
Application Risk Levels 29
Applications/Sites 19
Applications/Sites Pane 32
AppWiki 31
Architecture 55
Automatically Updating the Trusted CA List and
Certificate Blacklist 43
D
Default Rule and Monitor Mode 17
Deploying Certificates by Using Group Policy
38
Destination 19, 40
Detected in My Organization 31
Distributing and Connecting Clients 72
DNS Based Configuration 70
E
Enabling Application Control on a Security
Gateway 11
Enabling HTTPS Inspection 36
Enabling or Disabling Hit Count 23
Enabling URL Filtering on a Security Gateway
11
Enabling UserCheck Client 65
Engine Settings 50
Event Analysis in SmartEvent 49
Event Analysis in SmartEvent or SmartEvent
Intro 60
Exporting a Certificate from the Security
Management Server 37
Exporting and Deploying the Generated CA 37
Exporting and Importing Applications or Sites
34
Blade 42
Blade Queries 48
Blocking Applications 12
Blocking Sites 14
Blocking URL Categories 16
Browse Time 60
Bypassing HTTPS Inspection to Software
Update Services 42
Fail Mode 50
File Name Based Server Discovery 67
C
Certificate 42
Certificate Blacklisting 45
Check Point Online Web Service 50
Checking that it Works 75
Client and Gateway Communication 66
Configuring a Mirror Port 74
Configuring Inbound HTTPS Inspection 38
Configuring Legacy URL Filtering 55
Configuring Outbound HTTPS Inspection 36
Configuring the Hit Count Display 23
Configuring the Hit Count Timeframe 24
Configuring the Interface as a Mirror Port 75
Configuring the Security Gateway for
UserCheck 62
Configuring UserCheck 62
Connecting the Gateway to the Traffic 75
G
Gateway 7
Gateways Pane 42
GatewaysPane 32
Getting Started 10
Getting the MSI File 71
H
Helping Users 73
Hits 18
How it Operates 35
HTTP Inspection on Non-Standard Ports 34
HTTP/HTTPS Proxy 46
HTTPS Inspection 35
HTTPS Inspection in SmartEvent 49
HTTPS Inspection in SmartView Tracker 48
HTTPS Inspection Queries 48
HTTPS Validation 44
I
Identifying Users Behind a Proxy 54
Important Information 3
SmartConsole 7
SmartDashboard 7
SmartDashboard Toolbar 10
Source 19, 40
Technical Requirements 74
Terminology 55
The Application and URL Filtering Database
28
The Application and URL Filtering Overview
Pane 31
The Check Point Solution for Application
Control and URL Filtering 9
The HTTPS Inspection Policy 39
The Need for Application Control 8
The Need for URL Filtering 8
The Policy Rule Base 17
Time 21
Top Users 31
Track 20, 41
Troubleshooting 46
Troubleshooting DNS Based Configuration 70
Trusted Gateways 69
M
Main Features 9
Managing Application Control and URL Filtering
17
Manually Updating a Trusted CA 43
Messages and Action Items 31
Monitoring Applications 12
More UserCheck Interaction Options 26
My Organization 31
N
Name 18, 40
Number (No.) 40
Number (NO.) 18
O
Option Comparison 66
Overriding Categorization 34
P
Parts of the Rule 40
Parts of the Rules 18
Permissions for HTTPS Logs 48
Permissions for Logs 58
Predefined Queries 58
Predefined Rule 39
R
Refreshing the Hit Count Data 24
Regular Expression Syntax 76
Regular Expressions 76
Remote Registry 71
Removing the Mirror Port 75
Renaming the MSI 68
Revoking Incidents 64
Rule 7
S
Saving a CA Certificate 44
Scheduling Updates 30
Security Category Updates 28
Security Gateway 7
Security Gateway Portals 47
Server Certificates 38
Server Configuration Rules 68
Server Validation 44
Services 40
Setting up a Mirror Port 74
Site 7
Site Category 40
U
Updating the Application and URL Filtering
Database 29
URL Filtering 7, 51
UserCheck and Check Point Password
Authentication 73
UserCheck CLI 63
UserCheck Client 65
UserCheck Client Overview 65
UserCheck Frequency and Scope 26
UserCheck Interaction Objects 24
UserCheck Page 27
UserCheck Requirements 65
Using Character Types 77
Using Identity Awareness Features in Rules
14
Using Identity Awareness in the Application and
URL Filtering Rule Base 53
Using Non-Printable Characters 77
Using the AppWiki 29
V
Viewing Information in SmartEvent 49, 61
Viewing Logs 58
W
Web Browsing 52
Web Site 7
Page 80