Check Point Application Control and URL Filtering Configuration

Document IDCPENG07
ProductSecurity Gateway
VersionR80.10, R80.20, R80.30, R80.40
Platform / ModelAll


VM Configuration details:

Before I am processed , the above diagram that you see , that is my existing Cluster setup.

So click the below link to setup LAB for Cluster Setup First and add the default route to communicate between HOST machine (IP: and the ADServer (IP:

NOTE : Cluster Setup is not necessary for doing this LAB , we can use a Single Gateway or a standalone setup as well.

With our existing Cluster Setup , we are going to do add a Userbase security rule like we add ADuser in our rule base to block or allow URL.

Before we processed see the below details.

Note: It’s a very simple Setup don’t think its complicate , Kindly reach us in case you have not got any clarity.

IP Address Details

Gateway 1 (Active) IP : Internal (eth0) –> || External (eth2) –>

Gateway 2 (Standby) IP : Internal (eth0) –> || External  (eth2) –>

Cluster VIP (Virtual IP) : Internal –> || External –>

Sync IP : Active Gateway (eth1) —>  || Standby Gateway (eth1) —>  (NO Virtual IP Required)

DMZ Network(AD Server)

Gateway 1 (Active) IP : Internal (eth3)  –> | External (eth2) —>

Gateway 2 (Standby) IP : Internal (eth3) –> | External (eth2) —>

Cluster VIP (Virtual IP) : Internal –> | External –>

Management Server IP :

AD Server IP : Internal IP —>

Route Configuration

Internal LAN ( —->  Default Gateway (VIP :

DMZ Network ( —–>  Default Gateway (VIP :

Gateway IP (  & —> Default Gateway (VIP:

Host Machine (Where VMware is installed) —>

VMNet Details

VMnet0 : Auto-Bridging  : External :

VMnet1 : Host-Only : Internal  :

VMnet2 : Host-Only : Sync :

VMnet3 : Host-Only : DMZ Network :

DNS & AD Server IP :

Let’s Start..

STEP 01: Check the HOST machine IP address.

I assign IP address as

STEP 02: Check the connectivity between the HOST machine ( to ADServer  (

Ping (Its communicate)

STEP 03: Check the DNS address of the HOST machine (

command : CMD>ipconfig /all

Its showing DNS address : and but as we already configure DNS server in windows server also ADServer in Windows Server with IP:

STEP 04: Changing the DNS address and give the DNS Server which configure in Windows Server.

Ping to DNS Server for communication.

STEP 05: Did nslookup and also ping to (DOMAIN address of ADSerevr) for verification.

CMD>ping (if Its Response then OK)
CMD>nslookup (If its resolved DNS Server IP then OK)

Some Additional step.

STEP 06: Add the Domain Name “” in Host Machine (Windows 7 IP:

Location : System Properties —> Change Setting —> Change —> Domain (

STEP 07: Click “OK” to get the Login popup.

Login with username and password that you already create in ADServer.

STEP 08: I am login with username : Chinmaya that I already created in ADServer.    

If you want to know who to create a user in ADServer the check the below link for details.

STEP 09: Domain added successfully.

STEP 10: Restart the windows HOST machine (IP:

STEP 11: You can Login with username : Administrator but I am going to login username : Chinmaya.

STEP 12: Click “Other User”.

STEP 13: Login with Username : Chinmaya.

STEP 14: Enable the “Application Control ” and “URL Filtering” Blade in Cluster.

Location : SmartConsole —> Cluster Object —> General Properties

STEP 15: Click “Yes”.

STEP 16: Create a Policy layer for “Application Control and URL Filtering”.

Location : SmartConsole —> Security Policies —> Access Control —> Policy —> Edit Policy

STEP 17: Click “+” icon and Click on “New Layer” for adding the new layer (Application Control and URL Filtering).

STEP 18: Give Object Name : Application Control and URL Filtering

Blades : Application & URL Filtering.

STEP 19: Click on “Advanced” Tab and Select Implicit Cleanup Action as “Accept”.

STEP 20: Showing “Application Control and URL Filtering” layer is added in Access Control. 

STEP 21: Still I am not create any rule only give Rule name as “Test_URL_Rule”. so before we  creating the ” Application Control and URL Filtering ” rule first we are going to create a Network access rule.

STEP 22: The current rule is having two rule one is “Accept” and “Drop”.

Create a network access rule to access the internet for LAN network.

STEP 23: Create a network Object I create as

Object Name : Internal_LAN :

NAT : Hide

 STEP 24: For nating configuration go to NAT section in Network Object

Mark “Add automatic address translation rules”

Translation method :  “Hide

Select : Hide behind the gateway

See the rule.

NOTE : Please also specify the service.

STEP 25: Go to “Application Control and URL Filtering” and create a access control rule to create a user base rule.

Click “+” icon.

STEP 26: Click “*” icon and select “Access Role…”.

STEP 27: Go to “users” section and click “+” icon.

Select the AD Domain Name and once you select the domain you able to see the user and then select the user accordingly.

STEP 28: See the Domain ”” and see the user as well.

STEP 29: I am select the user “Chinmaya Naik”.

STEP 30: Added Username : Chinmaya Naik successfully.

See the “Distinguished Name”.

STEP 31: Give a name to the “New Access Role”

I give as “Chinmaya” and click “Ok”.

STEP 32: After added the Source : Chinmaya

Add Destination as “Internet” so select “+” icon in destination and select “Internet“.

STEP 33: In “Services & Application” add I am selecting  “Social Networking” to block social networking websites.

STEP 34: Add action as : Drop and Blocked Message

So by selecting this action then user “Chinmaya” able to see the Blocked page whenever  user “Chinmaya” try to access the social networking websites.

STEP 35: Track as “Log”.

NOTE : Also select the Details Logs for logs.

STEP 36: Name : Test_URL_Rule  | Source : Chinmaya |Destination : Internet | VPN : Any | Services & Application  : Social Networking (category) |Action: Drop/blocked message |Track : Log/Accounting .

STEP 37: Look like this.

See again with Diagram.

STEP 38: Change in engine setting of “Application Control and URL Filtering”.

Mark “Categorize HTTPS websites” and click “Ok”.

Location : Manage & Setting —> Blades —> Application Control and URL Filtering —> Advanced Settings —> General

NOTE : Make sure that when we enable this option then HTTPS inspection should disable. so basically both “HTTPS Inspection and Categorize HTTPS website”s can’t enable.

STEP 39: Install database..

STEP 40: Install the Access control policy.

STEP 41: See after installed the policy windows Host Machine ( able to ping means now we can assess the sites base on the policy.

STEP 42: Websites  is successfully block.

“” come under “Social Networking” categorize , that categorize I already added in Policy.

STEP 43: See the facebook block logs.

STEP 44: Add custom site to block or allow the URL.

Click “+” icon in “Services & Application” section —> Custom Application/Sites —> Application/Sites.

STEP 45: Name the new Application/Sites as name such as I give : Custome_Site01 and add URL by click “+” as some format like

*thehackernews* | |

Click “Ok”

STEP 46: Install the Database and install the policy.

STEP 47: Access the URL for testing.


STEP 48: Site getting block and able to see the Block page , showing block by “Custome_Site01” category.

STEP 49: See the block logs in tracker.

Select blade “URL Filtering” in Logs Filter.

STEP 50: See the Matched rules.

“Accept” in Access Control policy and “Block” in “Application Control and URL Filtering” policy.

STEP 51: See the Logs.

STEP 52: See the Rule with logs.

STEP 53: See the details of Drop logs.

STEP 54: See the username “Chinmaya Naik” in Drop logs.


  • Leave a Comment