Check Point Policy Types – Complete Guide
Introduction
Check Point Security Management uses a modular policy model where different policy types handle specific security functions. Starting from R80, policies are layered and managed separately, giving administrators granular control over access, threat prevention, QoS, mobile users, and more.
This guide explains all major policy types in Check Point (R80+ versions), their purpose, configuration approach, and when to use each one.
Access Control Policy
The most important and commonly used policy type. It controls who can access what on the network (north-south and east-west traffic).
Key features:
- Layered structure (multiple ordered layers possible)
- Supports inline layers for complex rules
- Application & URL filtering
- Identity Awareness (user/group-based rules)
- NAT rules integration
Use case: Standard firewall rules – allow HTTP/HTTPS from internal users to internet, block RDP from external, permit VPN traffic.
Always install Access Control policy after changes – it affects traffic immediately.
Threat Prevention Policy
Dedicated policy for anti-malware, IPS, Anti-Bot, Anti-Virus, Threat Emulation (Sandboxing), and Application Control.
Key features:
- Separate from Access Control (can be installed independently)
- Profile-based protection (optimized/prevent/detect modes)
- Automatic Threat Prevention updates from ThreatCloud
Use case: Block known malware signatures, detect command-and-control traffic, emulate suspicious files in sandbox.
Threat Prevention has performance impact – use appropriate profiles (Prevent for critical traffic, Detect for monitoring).
QoS (Quality of Service) Policy
Controls bandwidth allocation and traffic prioritization across interfaces.
Key features:
- Limit / Guarantee bandwidth per rule
- Supports DiffServ (DSCP) marking
- Per-connection QoS (not just per-IP)
Use case: Prioritize VoIP/video traffic over file downloads, limit guest Wi-Fi bandwidth.
Desktop Policy
Manages endpoint security for Check Point Endpoint Security clients (full disk encryption, media encryption, firewall, VPN, anti-malware).
Key features:
- Policy per user/group/machine
- Pre-boot authentication
- Remote help and compliance enforcement
Use case: Enforce full disk encryption on corporate laptops, block USB devices for certain users.
Mobile Access Policy
Controls Check Point Mobile Access blade for SSL VPN and mobile clients.
Key features:
- Portal customization
- Application access rules
- Two-factor authentication integration
Use case: Allow remote users to access internal web applications, file shares, and RDP via SSL VPN.
Other Policy Types
- Application Control & URL Filtering – Often part of Access Control but can be separate in older versions
- Data Loss Prevention (DLP) Policy – Monitors and blocks sensitive data leaving the network
- Compliance Policy – Used with Endpoint for posture checks
Policy Layers & Order of Installation
In modern Check Point (R80+):
- Access Control policy is installed first
- Threat Prevention can be installed separately
- QoS policy applies after Access Control
Always verify policy installation status after changes.
Best Practices
- Use layers wisely – keep rules clean and ordered
- Separate Threat Prevention for performance tuning
- Test policies in monitor-only mode first
- Document policy changes and purpose
- Regularly review and clean unused rules
Conclusion
Check Point’s modular policy types give administrators powerful, granular control over network security. Access Control handles basic traffic, Threat Prevention stops advanced attacks, QoS ensures performance, and Mobile/Desktop policies secure remote and endpoint users.
Understanding when and how to use each policy type is key to building effective, maintainable security policies.