Scribd
Upload
118 views

Check Point Application Control Signature Tool: Administration Guide

Uploaded by

adriangrin
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
118 views

Check Point Application Control Signature Tool: Administration Guide

Uploaded by

adriangrin
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

1 November 2017

Check Point
Application Control Signature Tool

Administration Guide
Classification: [Restricted]
© 2017 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part of
this product or related documentation may be reproduced in any form or by any means without prior
written authorization of Check Point. While every precaution has been taken in the preparation of
this book, Check Point assumes no responsibility for errors or omissions. This publication and
features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our trademarks.
Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html for a
list of relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with
the latest functional improvements, stability fixes, security enhancements and protection
against new and evolving attacks.

Latest Version of this Document


Download the latest version of this document
http://downloads.checkpoint.com/dc/download.htm?ID=53643.
To learn more, visit the Check Point Support Center
http://supportcenter.checkpoint.com.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
mailto:[email protected]?subject=Feedback on Application
Control Signature Tool Administration Guide.

Revision History
Date Description
01 November 2017 Updated Scenario Types (on page 6) and HTTP Scenario Window (on
page 11).
Added Office365 Enterprise Domain Scenario Window (on page 19) and
Office365 Consumer User Scenario Window (on page 20).

02 January 2017 First release of this document


Contents
Important Information .................................................................................................... 3
Introduction.................................................................................................................... 5
Using the Signature Tool ............................................................................................... 5
Scenario Types ......................................................................................................... 6
R77.30 ....................................................................................................................... 7
R80 ............................................................................................................................ 7
Signature Tool Screens ................................................................................................. 8
Applications Window ................................................................................................. 8
Single Application Window ........................................................................................ 9
HTTP Scenario Window .......................................................................................... 11
SSL/TLS Scenario Window ..................................................................................... 13
IP Scenario .............................................................................................................. 15
Raw Data Scenario Window .................................................................................... 16
HTTP Response Scenario Window ......................................................................... 18
Office365 Enterprise Domain Scenario Window...................................................... 19
Office365 Consumer User Scenario Window .......................................................... 20
CHAPT ER 1

Introduction
The Application Control Signature Tool lets you create applications and signatures for your own
third-party applications. It expands the applications database in the Check Point gateway and allows
you to create and import your own applications and add them to your policy inside SmartDashboard.
CHAPT ER 2

Using the Signature Tool


In This Section:
Scenario Types ......................................................................................................... 6
R77.30 ....................................................................................................................... 7
R80 ............................................................................................................................ 7

To get started:
1. Extract the zip file into a new local folder.
2. Run: ACST.exe

To use the tool:


1. In the applications window, click Add Application.
The single application window opens.
2. Enter information for the Application Details.
These fields are mandatory:
• Name
• Main Category
• Risk
• Description
3. In the Application Scenarios section, click the add scenario + button and select the scenario
type. See Scenario Types (on page 6).
4. Click Save application.
5. In the applications list, select the application and click Export to create the output files.
A new window opens which contains a folder with the name of your application.
6. Import the files to your SmartDashboard.
R77: *.apps
R80: *.xml

Application Control Signature Tool Administration Guide | 5


Using the Signature Tool

Scenario Types
These are the different types of scenarios:
Scenario Actions
HTTP Enter the scenario description and select the fields you need.
To save the scenario, enter a description and values for at least
one of these fields:
• Path
• Host
• User-Agent
• Referrer
• Additional Headers
• Body
For Method, select the required method from the list.

SSL/TLS Enter the scenario description and select the fields you need.
You can select to detect traffic that has both the server name
indication and common name (AND relation) or to detect traffic that
contains at least one of the values (OR relation).
To save the scenario, enter a description and values for at least
one of these fields:
• Server Name Indication
• Common Name

IP Enter the scenario description and the required IP address. The IP


address must be in this format: X.X.X.X
You can insert a specific port as needed.
To save the scenario, you must insert a description and an IP
address.

Raw Data Enter the scenario description and the raw data text to detect. For
simple strings, select Simple Data. For regular expressions, select
PCRE. Change the destination ports to a specific range as needed.
To save the scenario, enter the description and:
• For Simple Data - At least one data field.
• For PCRE - LSS and PCRE Data.

Http Response Enter the scenario description and select the header fields you
need.
To save the scenario, enter a description and at least one of these
fields:
• Server - Mark and insert the required value.
• Content-Type - Mark and insert the required value.
• Body - Insert the response body data you want to detect.

Application Control Signature Tool Administration Guide | 6


Using the Signature Tool

Scenario Actions
Office365 Enterprise
Enter the scenario description and add the domains you want to
Domain
detect. To save the scenario, enter a description and at least one
domain.

Office365 Consumer User Enter the scenario description and add the usernames you want to
detect. To save the scenario, enter a description and at least one
username.

R77.30
To import the application to the Application Control and URL Filtering Database:
1. Open SmartDashboard > Application Control and URL Filtering > Applications and Sites.
2. Click Actions > Import.
The Import Applications/Sites window opens.
3. Browse to the *.apps file that the Signature Tool created and click Open.

R80
To import the application to R80 SmartConsole:
See sk111054 http://supportcontent.checkpoint.com/solutions?id=sk111054.

Application Control Signature Tool Administration Guide | 7


CHAPT ER 3

Signature Tool Screens


In This Section:
Applications Window ................................................................................................. 8
Single Application Window........................................................................................ 9
HTTP Scenario Window .......................................................................................... 11
SSL/TLS Scenario Window..................................................................................... 13
IP Scenario.............................................................................................................. 15
Raw Data Scenario Window ................................................................................... 16
HTTP Response Scenario Window ........................................................................ 18
Office365 Enterprise Domain Scenario Window..................................................... 19
Office365 Consumer User Scenario Window ......................................................... 20

Applications Window
The Applications Window, the main window, contains a list of all the custom applications you
create and their basic properties:
• Name
• Main Category
• Risk
• Description
• Creation Date
• Last Modified Date
Use the tool box to Add, Edit, Delete, and Search an application. To create output files that you can
input into SmartDashboard, click the Export button.

Application Control Signature Tool Administration Guide | 8


Signature Tool Screens

Single Application Window


The single application window appears after you click Add or Edit for an application.
In Application Details, enter all the application properties that appear in SmartDashboard.
In Application Scenarios, manage (Add/Edit/Delete) scenarios that are translated into signatures
by the Signature Tool when you export an application.

Application Properties:

Property Description Valid values Required


Name Name of the application to show in Simple string Yes
SmartDashboard.

Main Category The main category of the application. Category from Yes
categories list

Risk Your assessment of how threatening the • Very low risk Yes
application is to security. • Low risk
• Medium risk
• High risk
• Critical risk

Additional Additional categories relevant to the Category from No


Categories application. categories list

Description Description of the application to show in Simple string Yes


SmartDashboard.

Application Control Signature Tool Administration Guide | 9


Signature Tool Screens

Application Control Signature Tool Administration Guide | 10


Signature Tool Screens

HTTP Scenario Window


In the HTTP scenario window, you can create a scenario that detects HTTP traffic based on the data
you entered. You can select an HTTP method and enter the Path, Host, User-Agent and Referrer
fields.
You must enter the Scenario Description and at least one field from Path, Host, User-Agent
and Referrer.

Property Description Valid values Required Additional


Information
Description Description of the scenario. Simple Yes NA
string

Method HTTP request method. • GET No NA


• POST
• OPTIONS
• PUT
• DELETE
• HEAD
• TRACE

Path HTTP Request-URI, e.g. Simple No Detects any path text


/web/homepage.html string / containing the input
PCRE string.
regular
expression

Host The destination host Simple No Detects any host


domain/IP, e.g. string / header text containing
www.checkpoint.com PCRE the input string.
regular
expression

User-Agent A string that identifies the Simple No Detects user-agent


client software originating the string / header starting with
request, e.g. Mozilla/5.0 PCRE the input string.
(Windows NT 6.1; WOW64) regular
AppleWebKit/537.36 expression
(KHTML, like Gecko)
Chrome/52.0.2743.116
Safari/537.36

Referrer The address of the webpage Simple No Detects referrer header


that linked to the resource string / containing the input
being requested, e.g. PCRE string.
https://www.checkpoin regular
t.com/ expression

Application Control Signature Tool Administration Guide | 11


Signature Tool Screens

Property Description Valid values Required Additional


Information
Additional
List of headers and their Simple No Detects the custom
Headers
values you want to detect, string / header containing the
e.g. Content-Type (header) PCRE value.
text/html (values). regular
expression

Body The body of the HTTP Simple No Detects body section


request. string / containing the input
PCRE string.
regular
expression

Application Control Signature Tool Administration Guide | 12


Signature Tool Screens

SSL/TLS Scenario Window


In the SSL/TLS scenario window, you can create a scenario that detects SSL traffic based on the
data you entered. You can enter information for the Server Name Indication and/or the Common
Name fields.
You must enter the Scenario Description and at least one field from Server Name Indication
and Common Name.
Property Description Valid Required Additional
values Information
Description Description of the Simple Yes NA
scenario. string

Server Name A string by which Simple No Detects server name


Indication a client indicates string indication containing the
which hostname it input string.
attempts to connect to at
the start of the SSL
handshaking process, e.g.
www.checkpoint.com
Refers to traffic going
from the client to the
server.

Common A string that represents Simple No Detects common name


Name the server common name. string containing the input string.
SSL server certificates are
specific to the Common
Name that they have been
issued to at the Host level,
e.g.
www.checkpoint.com
Refers to traffic going
from the server to the
client.

• The AND/OR button refers to the relationship between the fields.


AND means detect traffic containing both values in these fields.
OR means detect traffic containing only one of the values.

Application Control Signature Tool Administration Guide | 13


Signature Tool Screens

Application Control Signature Tool Administration Guide | 14


Signature Tool Screens

IP Scenario
In the IP scenario window, you can create a scenario that detects all traffic that goes to a specific IP
and/or port.
You must enter information for the Scenario Description and IP fields.

Property Description Valid values Required


Scenario Description of the scenario. Simple string Yes
Description

Destination IP The IP address of the traffic to detect, e.g. A valid IP Yes


Address 183.15.209.75 address with
the format
X.X.X.X,
where X is a
number from
0-255.

Port The port number of the traffic to detect, e.g. A valid port No
25. number from
1-65535.

Application Control Signature Tool Administration Guide | 15


Signature Tool Screens

Raw Data Scenario Window


In the Raw Data scenario window, you can create a scenario that detects raw data non-HTTP traffic
based on the data you entered. You can enter a simple raw data string or a PCRE regular
expression.

Property Description Valid Required Additional


values Information
Scenario Description of the Simple Yes NA
Description scenario. string

Simple Data - The raw data to detect, Simple Yes (in Detects raw data text
Data e.g. “hello world.” string "Simple containing the input string.
Data"
mode)

PCRE - LSS A simple string that Simple Yes (in Detects raw data text
appears in the data, e.g. string “PCRE” containing the input string.
“hello.” mode)

PCRE - PCRE A PCRE regular PCRE Yes (in Detects raw data text that
Data expression that matches regular “PCRE” matches the regular
the data, e.g. “^He.*” expressio mode) expression.
n

IP Protocol The IP protocol of the • TCP Yes NA


traffic to detect. • UDP

Direction The direction of the traffic • Client to Yes NA


Server
to detect.
• Server to
Client
• Both

Destination The destination ports A range Yes NA


Ports Range range of the traffic to between 1
detect, e.g. 21 – 25. and
65,535.

Application Control Signature Tool Administration Guide | 16


Signature Tool Screens

Application Control Signature Tool Administration Guide | 17


Signature Tool Screens

HTTP Response Scenario Window


In the HTTP Response scenario window, you can create a scenario that detects HTTP response
traffic based on the data you entered. You can enter the Server and the Content-Type headers if
you want to detect them, and enter the Body field to detect data that appears in the response body.
You must enter the Scenario Description and at least one field from Server, Content-Type
and Body.

Property Description Valid values Required Additional


Information
Description Description of the scenario. Simple Yes NA
string

Server HTTP response server Simple No Detects any server text


header, e.g. string containing the input string.
“Apache/2.2.14”

Content-Type HTTP response Simple No Detects any host header


content-type header, e.g. string text containing the input
"text/html" string.

Body HTTP response body, e.g. Simple No Detects response body text
“<h1>Hello World</h1>” string or containing the input string.
hexadecima
It can also be in hex, e.g. If “starts with” is checked,
l value with
“A1 2D 68”, if you check the detects response body text
the format
“hexadecimal” check box. starting with the input
“XX XX XX”
string.
where X is a
hexadecima
l digit.

Application Control Signature Tool Administration Guide | 18


Signature Tool Screens

Office365 Enterprise Domain Scenario Window


In the Office 365 Enterprise Domain scenario window, you can create a scenario that will detect
Office365 Enterprise domains based on the list you entered.
You must enter the Scenario Description and at least one domain name.

Property Description Valid values Required Additional information


Description Description of the Simple string Yes NA
scenario

Domains List of domains you Simple strings Yes NA


want to detect

Application Control Signature Tool Administration Guide | 19


Signature Tool Screens

Office365 Consumer User Scenario Window


In the Office 365 Consumer User scenario window, you can create a scenario that will detect
Office365 Enterprise Consumer based on the list you entered.
You must enter the Scenario Description and at least one username.

Property Description Valid values Required Additional information


Description Description of the Simple string Yes NA
scenario

Usernames List of usernames Simple strings Yes NA


you want to detect

Application Control Signature Tool Administration Guide | 20

You might also like