What can I do here? Show
Use this window to define the Access Policy.
Introducing the Unified Access Control PolicyDefine one, unified Access Control Policy. The Access Control Policy lets you create a simple and granular Rule Base that combines all these Access Control features:
There is no need to manage separate Rule Bases. For example, you can define one, intuitive rule that: Allows users in specified networks, to use a specified application, but prevents downloading files larger than a specified size. You can use all these objects in one rule:
Information about these features is collected in one log:
Creating a Basic Access Control PolicyA firewall controls access to computers, clients, servers, and applications using a set of rules that make up an Access Control Rule Base. You need to configure a Rule Base with secure Access Control and optimized network performance. A strong Access Control Rule Base:
Basic RulesBest Practice - These are basic Access Control rules we recommend for all Rule Bases:
Note - If you delete the cleanup rule, there will still be an implicit drop rule that drops all traffic that did not match all other rules. This rule does not create log entries. If you want to log the traffic, create an explicit Cleanup rule. Use Case - Basic Access ControlThis use case shows a Rule Base for a simple Access Control security policy. (The , and columns are not shown.)
Use Case - Inline Layer for Each DepartmentThis use case shows a basic Access Control Policy with a sub-policy for each department. The rules for each department are in an Inline Layer. An Inline Layer is independent of the rest of the Rule Base. You can delegate ownership of different Layers to different administrators.
Configuring Site to Site VPN Rules in the Access PolicyYou must configure rules to allow traffic to and from VPN Communities. Configure rules in SmartConsole > > . All layers of the Access Control Policy can contain VPN rules. To make a rule apply to a VPN Community, the column of the Rule Base must contain one of these:
Examples:
Examples of VPN Access Rules for Remote AccessExamples: This rule allows traffic from all VPN Communities to the internal network on all services:
This rule allows traffic from RemoteAccess VPN Community to the internal network on HTTP and HTTPS.
This rule allows traffic from RemoteAccess VPN Community to the internal network on all services when the traffic starts from the Endpoint Security VPN client.
See Access Roles for Remote Access for details of how to create Access Roles for Remote Access and VPN Clients to include them in rules in the Access Control Rule Base. Creating Application Control and URL Filtering RulesCreate and manage the Policy for Application Control and URL Filtering in the Access Control Policy, in the view of SmartConsole. Application Control and URL Filtering rules define which users can use specified applications and sites from within your organization and what application and site usage is recorded in the logs. To learn which applications and categories have a high risk, look through the in the part of the view. Find ideas for applications and categories to include in your Policy. To see an overview of your Access Control Policy and traffic, see the view in > > . Monitoring ApplicationsScenario: I want to monitor all Facebook traffic in my organization. How can I do this? To monitor all Facebook application traffic:
The rule allows all Facebook traffic but logs it. You can see the logs in the view, in the tab. To monitor how people use Facebook in your organization, see the view (SmartEvent Server required). Blocking Applications and Informing UsersScenario: I want to block pornographic sites in my organization, and tell the user about the violation. How can I do this? To block an application or category of applications and tell the user about the policy violation:
The rule blocks traffic to pornographic sites and logs attempts to access those sites. Users who violate the rule receive a UserCheck message that informs them that the application is blocked according to company security policy. The message can include a link to report if the website is included in an incorrect category.
Limiting Application TrafficScenario: I want to limit my employees' access to streaming media so that it does not impede business tasks. If you do not want to block an application or category, there are different ways to set limits for employee access:
The example rule below:
To create a rule that allows streaming media with time and bandwidth limits:
Note - In ClusterXL Load Sharing modes, the specified bandwidth limit is divided between all defined cluster members, regardless of the cluster state. For example, if a rule sets 1Gbps limit in a cluster with three members, each member has a fixed limit of 333 Mbps. Using Identity Awareness Features in RulesScenario: I want to allow a Remote Access application for a specified group of users and block the same application for other users. I also want to block other Remote Access applications for everyone. How can I do this? If you enable Identity Awareness on a Security Gateway, you can use it together with Application Control to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object. In this example:
To do this, add two new rules to the Rule Base:
Notes on these rules:
For more about Access Roles and Identity Awareness, see the R80.20 Identity Awareness Administration Guide. Blocking SitesScenario: I want to block sites that are associated with categories that can cause liability issues. Most of these categories exist in the Application and URL Filtering Database but there is also a custom defined site that must be included. How can I do this? You can do this by creating a custom group and adding all applicable categories and the site to it. If you enable Identity Awareness on a Security Gateway, you can use it together with URL Filtering to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object. In this example:
To create a custom group:
You can now use the Liability_Sites group in the Access Control Rule Base. In the Rule Base, add a rule similar to this: In the Security Policies view of SmartConsole, go to the Policy.
Blocking URL CategoriesScenario: I want to block pornographic sites. How can I do this? You can do this by creating a rule that blocks all sites with pornographic material with the Pornography category. If you enable Identity Awareness on a Security Gateway, you can use it together with URL Filtering to make rules that apply to an access role. Use access role objects to define users, machines, and network locations as one object. In this example:
The procedure is similar to Blocking Applications and Informing Users. In the Rule Base, add a rule similar to this:
Policy Layers and Inline LayersA policy is a set of rules that the gateway enforces on incoming and outgoing traffic. There are different policies for Access Control and for Threat Prevention. You can organize the Access Control rules in more manageable subsets of rules using Policy Layers and Inline Layers. The Need for Policy Layers and Inline LayersPolicy Layers and Inline Layers helps you manage your cyber security more efficiently. You can:
Order of Rule Enforcement in Inline LayersThe Policy Layer can contain Inline Layers. This is an example of an Inline Layer:
The Inline Layer has a parent rule (Rule 2 in the example), and sub rules (Rules 2.1 and 2.2). The Action of the parent rule is the name of the Inline Layer. If the packet does not match the parent rule of the Inline Layer, the matching continues to the next rule of the Policy Layer (Rule 3). If a packet matches the parent rule of the Inline Layer (Rule 2), the Firewall checks it against the sub rules:
Important - Always add an explicit Cleanup Rule at the end of each Inline Layer, and make sure that its is the same as the of the Implicit Cleanup Rule. Order of Rule Enforcement in Policy LayersWhen a packet arrives at the gateway, the gateway checks it against the rules in the first Policy Layer, sequentially from top to bottom, and enforces the first rule that matches a packet. If the of the matching rule is , the gateway stops matching against later rules in the Policy Rule Base and drops the packet. If the is , the gateway continues to check rules in the next Policy Layer.
If none of the rules in the Policy Layer match the packet, the explicit Default Cleanup Rule is applied. If this rule is missing, the Implicit Cleanup Rule is applied. Every Policy Layer has its own implicit cleanup rule. You can configure the rule to Accept or Drop in the Layer settings. Important - Always add an explicit Cleanup Rule at the end of each Policy Layer, and make sure that its is the same as the of the Implicit Cleanup Rule. Creating an Inline LayerAn Inline Layer is a sub-policy which is independent of the rest of the Rule Base. The workflow for making an Inline Layer is:
To create an Inline Layer:
Creating a Policy LayerTo create an Policy Layer:
To add an Policy Layer to the Access Control Policy:
Pre-R80.10 Gateways: To create a Layer for URL Filtering and Application Control:
Enabling Access Control FeaturesBefore creating the Access Control Policy, you must enable the Access Control features that you will use in the Policy. Enable the features on the:
Enabling Access Control Features on a Gateway
Enabling Access Control Features on a LayerTo enable the Access Control features on an Policy Layer:
To enable the Access Control features on an Inline Layer:
Types of Rules in the Rule BaseThere are three types of rules in the Rule Base - explicit, implied and implicit. Explicit rules The rules that the administrator configures explicitly, to allow or to block traffic based on specified criteria.
Implied rules The default rules that are available as part of the configuration and cannot be edited. You can only select the implied rules and configure their position in the Rule Base:
Implied rules are configured to allow connections for different services that the Security Gateway uses. For example, the rules allow packets that control these services:
Implicit cleanup rule The default "catch-all" rule for the Layer that deals with traffic that does not match any explicit or implied rules in the Layer. It is made automatically when you create a Layer. Implicit cleanup rules do not show in the Rule Base. For R80.10 later version Security Gateways, the default implicit cleanup rule action is Drop. This is because most Policies have Whitelist rules (the Accept action). If the Layer has Blacklist rules (the Drop action), you can change the action of the implicit cleanup rule to Accept in the Layer Editor. For R77.30 or earlier versions Security Gateways, the action of the implicit rule depends on the Policy Layer:
Note - If you change the default values, the policy installation will fail on R77.30 or earlier versions Security Gateways. Order in which the Firewall Applies the Rules
Configuring the Implied RulesSome of the implied rules are enabled by default. You can change the default configuration as necessary. To configure the implied rules:
Showing the Implied RulesTo see the implied rules: In , from the View, select > . The window opens. It shows only the implied rules, not the explicit rules. Configuring the Implicit Cleanup RuleTo configure the Implicit Cleanup Rule:
Administrators for Access Control LayersYou can create administrator accounts dedicated to the role of Access Control, with their own installation and SmartConsole Read/Write permissions. You can also delegate ownership of different Layers to different administrators. Sharing LayersYou may need to use the same rules in different parts of a Policy, or have the same rules in multiple Policy packages. There is no need to create the rules multiple times. Define an Ordered Layer or an Inline Layer one time, and mark it as shared. You can then reuse the Inline Layer or Ordered layer in multiple policy packages or use the Inline Layer in multiple places in an Ordered Layer. This is useful, for example, if you are an administrator of a corporation and want to share some of the rules among multiple branches of the corporation:
To mark a Layer as shared:
To reuse a Threat Prevention Policy Layer:
For examples of Inline Layers and Policy Layer, see Unified Rule Base Use Cases. Visual Division of the Rule Base with SectionsTo better manage a policy with a large number of rules, you can use Sections to divide the Rule Base into smaller, logical components. The division is only visual and does not make it possible to delegate administration of different Sections to different administrators. Exporting Layer Rules to a .CSV FileYou can export Layer rules to a .csv file. You can open and change the .csv file in a spreadsheet application such as Microsoft Excel. To export Layer rules to a .csv file:
Managing Policies and LayersTo work with Policy Layers and Inline Layers in the Access Control Policy, select > in SmartConsole. The window shows. To see the Layer in the policy package and their attributes: In the pane of the window, you can see:
To see the rules in the Layer:
Including Mobile Access in the Unified PolicyAfter you configure rules for Mobile Access in the Unified Access Control Policy, configure the gateway to use the . To make an R80.x Mobile Access gateway use the Unified Access Control Policy:
Configuring Mobile Access in the Unified Policy
Creating Mobile Access Rules in the Unified Access Control PolicyCreate Mobile Access rules in the Access Control Policy with these requirements:
Mobile Access Applications in the Unified Access Control policyTo use a Mobile Access application in the Unified Access Control Policy, you must define it as a from the SmartConsole or define it in the in SmartConsole > tab. Other application objects, such as URL Filtering applications, are not relevant for Mobile Access. For example: To authorize Facebook as a web application in Mobile Access, you must create a new Web Application and specify Facebook’s URL. You cannot use the URL Filtering Facebook application, because it is not for Mobile Access. Creating Mobile Applications for the Access Control PolicyTo create a Mobile Application object to use in the Access Control Policy:
The Columns of the Access Control Rule BaseThese are the columns of the rules in the Access Control policy. Not all of these are shown by default. To select a column that does not show, right-click on the header of the Rule Base, and select it.
Source and Destination ColumnIn the Source and Destination columns of the Access Control Policy Rule Base, you can add Network objects including groups of all types. Here are some of the network objects you can include:
VPN ColumnYou can configure rules for Site-to-Site VPN, Remote Access VPN, and the Mobile Access portal and clients. To make a rule for a VPN Community, add a Site-to-Site Community or a Remote Access VPN Community object to this column, or select to make the rule apply to all VPN Communities. When you enable Mobile Access on a gateway, the gateway is automatically added to the VPN Community. Include that Community in the column of the rule or use to make the rule apply to Mobile Access gateways. If the gateway was removed from the VPN Community, the column must contain . IPsec VPNThe IPsec VPN solution lets the Security Gateway encrypt and decrypt traffic to and from other gateways and clients. Use SmartConsole to easily configure VPN connections between Security Gateways and remote devices. For Site-to-Site Communities, you can configure Star and Mesh topologies for VPN networks, and include third-party gateways. The VPN tunnel guarantees:
IKE and IPsec The Check Point VPN solution uses these secure VPN protocols to manage encryption keys, and send encrypted packets. IKE (Internet Key Exchange) is a standard key management protocol that is used to create the VPN tunnels. IPsec is protocol that supports secure IP communications that are authenticated and encrypted on private or public networks. Mobile Access to the NetworkCheck Point Mobile Access lets remote users easily and securely use the Internet to connect to internal networks. Remote users start a standard HTTPS request to the Mobile Access Security Gateway, and authenticate with one or more secure authentication methods. The Mobile Access Portal lets mobile and remote workers connect easily and securely to critical resources over the internet. Check Point Mobile Apps enable secure encrypted communication from unmanaged smartphones and tablets to your corporate resources. Access can include internal apps, email, calendar, and contacts. To include access to Mobile Access applications in the Rule Base, include the in the column. To give access to resources through specified remote access clients, create Access Roles for the clients and include them in the column of a rule. To Learn More About VPNTo learn more about Site-to-Site VPN and Remote Access VPN, see these guides:
Services & Applications ColumnIn the column of the Access Control Rule Base, define the applications, sites, and services that are included in the rule. A rule can contain one or more:
Service MatchingThe Firewall identifies (matches) a service according to IP protocol, TCP and UDP port number, and protocol signature. To make it possible for the Firewall to match services by protocol signature, you must enable on the Gateway and on the Policy Layer. You can configure TCP and UDP services to be matched by source port. Application MatchingIf an application is allowed in the policy, the rule is matched only on the services of the application. This default setting is more secure than allowing the application on all services. For example: a rule that allows Facebook, allows it only on the Application Control : If an application is blocked in the policy, it is blocked on all services. It is therefore blocked on all ports. You can change the default match settings for applications. Configuring Matching for an Allowed ApplicationYou can configure how a rule matches an application or category that is allowed in the policy. You can configure the rule to match the application in one of these ways:
To do this, change theof the application or category. The application or category is changed everywhere that it is used in the policy. To change the matched services for an allowed application or category:
Configuring Matching for Blocked ApplicationsBy default, if an application is blocked in the policy, it is blocked on all services. It is therefore blocked on all ports. You can configure the matching for blocked applications so that they are matched on the recommended services. For Web applications, the recommended services are the Application Control Web browsing services. If the match settings of the application are configured to , the blocked application is matched on the customized services service. It is not matched on all ports. To configure matching for blocked applications:
Summary of Application Matching in a "Block" Rule
Adding Services, Applications, and Sites to a ruleYou can add services, applications and sites to a rule. Note - Rules with applications or categories do not apply to connections from or to the Security Gateway. To add services, applications or sites to a rule:
Creating Custom Applications, Categories, and GroupsYou can create custom applications, categories or groups, which are not included in the Check Point Application and URL Filtering Database. To create a new application or site:
To create a custom category:
Services and Applications on R80 and Lower Gateways, and after UpgradeFor R77.xx and lower Gateways:
When you upgrade the Security Management Server and the Gateway to R80 and higher, this change of behavior occurs:
Content ColumnYou can add Data Types to the Content column of rules in the Access Control Policy. To use the Content column, you must enable ,in the General Properties page of the Security Gateway, and on the Layer. A Data Type is a classification of data. The Firewall classifies incoming and outgoing traffic according to Data Types, and enforces the Policy accordingly. You can set the direction of the data in the Policy to (into the organization), (out of the organization), or . There are two kinds of Data Types: Content Types (classified by analyzing the file content) and File Types (classified by analyzing the file ID). Content Type examples:
File type examples:
Note these limitations:
To learn more about the Data Types, open the Data Type object in SmartConsole and press the button (or ) to see the Help. Note - Content Awareness and Data Loss Prevention (DLP) both use Data Types. However, they have different features and capabilities. They work independently, and the Security Gateway enforces them separately. To learn more about DLP, see the R80.20 Data Loss Prevention Administration Guide. Actions
UserCheck ActionsUserCheck lets the Security Gateways send messages to users about possible non-compliant or dangerous Internet browsing. In the Access Control Policy, it works with URL Filtering, Application Control, and Content Awareness. (You can also use UserCheck in the Data Loss Prevention Policy, in SmartConsole). Create UserCheck objects and use them in the Rule Base, to communicate with the users. These actions use UserCheck objects: UserCheck on a Security Gateway When UserCheck is enabled, the user's Internet browser shows the UserCheck messages in a new window. You can enable UserCheck on Security Gateways that use:
UserCheck on a computer The UserCheck client is installed on endpoint computers. This client:
Tracking ColumnThese are some of the options:
Unified Rule Base Use CasesHere are some use cases that show examples of rules that you can define for the Access Control Policy. Use Case - Application Control and Content Awareness Policy LayerThis use case shows an example unified Access Control Policy. It controls applications and content in one Policy Layer.
Use Case - Inline Layer for Web TrafficThis use case shows an example Access Control Policy that controls Web traffic. The Web server rules are in an Inline Layer.
Use Case - Content Awareness Policy LayerThis use case shows a Policy that controls the upload and download of data from and to the organization. There is an explanation of some of the rules below the Rule Base.
Use Case - Application and URL Filtering Policy LayerThis use case shows some examples of URL Filtering and Application Control rules for a typical policy that monitors and controls Internet browsing. (The and columns are not shown.)
Rule Matching in the Access Control PolicyThe Firewall determines the rule to apply to a connection. This is called matching a connection. Understanding how the firewall matches connections will help you:
Examples of Rule MatchingThese example Rule Bases show how the Firewall matches connections. Note that these Rule Bases intentionally do not follow Best Practices for Access Control Rules. This is to make the explanations of rule matching clearer. Rule Base Matching - Example 1For this Rule Base:
This is the matching procedure for an FTP connection:
Rule Base Matching - Example 2For this Rule Base:
This is the matching procedure when browsing to a file sharing Web site. Follow the rows from top to bottom. Follow each row from left to right:
Rule Base Matching - Example 3For this Rule Base:
This is the matching procedure when downloading an executable file from a business Web site. Follow the rows from top to bottom. Follow each row from left to right:
The matching examples show that:
Best Practices for Efficient Rule Matching
Be sure to follow the other Best Practices for the Access Control Policies Rule Base. Best Practices for Access Control Rules
Best Practices for Efficient rule Matching
To see examples of some of these best practices, see the Unified Rule Base Use Cases and Creating a Basic Access Control Policy. Managing Pre-R80.10 Security GatewaysWhen you upgrade a pre-R80 Security Management Server that manages pre-R80.10 Security Gateways to R80 or higher, the existing Access Control policies are converted in this way:
Important – After upgrade, do not change the of the implicit cleanup rules, or the order of the Policy Layers. If you do, the policy installation will fail. New Access Control Policy for pre-R80 Security Gateways on an R80 Security Management Server must have this structure:
If the Access Control Policy has a different structure, the policy will fail to install. You can change the names of the Layers, for example, to make them more descriptive. Each new Policy Layer will have the explicit default rule, added automatically and set to all the traffic that does not match any rule in that Policy Layer. We recommend that the is set to for the Network Policy Layer and for the Application Control Policy Layer. If you remove the default rule, the will be enforced. The is configured in the Policy configuration window and is not visible in the Rule Base table. Make sure the is configured to the unmatched traffic for the Network Policy Layer and to the unmatched traffic for the Application Control Policy Layer. Analyzing the Rule Base Hit CountUse the Hit Count feature to show the number of connections that each rule matches. Use the Hit Count data to:
You can show Hit Count for the rules in these options:
These options are configured in the Access Control Policy Rule Base and also changes how Hit Count is shown in other supported Software Blades. When you enable Hit Count, the Security Management Server collects the data from supported Security Gateways (from version R75.40 and up). Hit Count works independently from logging and tracks the hits even if the option is . Enabling or Disabling Hit CountBy default, Hit Count is globally enabled for all supported Security Gateways (from R75.40). The timeframe setting that defines the data collection time range is configured globally. If necessary, you can disable Hit Count for one or more Security Gateways. After you enable or disable Hit Count you must install the Policy for the Security Gateway to start or stop collecting data. To enable or disable Hit Count globally:
To enable or disable Hit Count on each Security Gateway:
Configuring the Hit Count DisplayThese are the options you can configure for how matched connection data is shown in the column:
To show the Hit Count in the Rule Base: Right-click the heading row of the Rule Base and select . To configure the Hit Count in a rule:
To update the Hit Count in a rule:
What types of criteria can you use to define security policy rules on the Palo Alto firewall?Security policies on the firewall can be defined using various criteria such as zones, applications, IP addresses, ports, users, and HIP profiles.
Which of the following parameters are used in a firewall security policy to match traffic?Specific matching conditions in a security policy can accurately describe traffic. You can use only the 5-tuple (source and destination IP addresses, source and destination ports, and protocol) as matching conditions.
Which two items describe configuration conditions that enable the firewall to generate traffic log entries?The correct answer was "Security zone, Security Policy Rule". Traffic must be decrypted by the firewall. Traffic is allowed by a Security policy rule. The matching Security policy rule must enable logging.
Which policy describes the security controls that apply to network and firewalls?Network security policies describes an organization's security controls. It aims to keep malicious users out while also mitigating risky users within your organization.
|