topic Understanding url filtering app control on https sites... in Firewall and Security Management

Understanding url filtering app control on https sites...

Troy_Yeske — Mon, 22 Jul 2019 21:57:56 GMT

Trying to understand some behavior: we have an access control rule that blocks uncategorized sites. Below site is visited and access to it is blocked as uncategorized, it is an https site and yet is categorized as business/economy. The destination is visible via the logs as seen below, yet eventhough the destination is recognized, URL filtering still says it is uncategorized. I'm assuming this is because it is https and the IP address only is scrutinized but just wanted to understand why, if the destination is visible, it isn't categorized as such.

Re: Understanding url filtering app control on https sites...

Neil_ARZ — Tue, 23 Jul 2019 00:05:34 GMT

checkpoint may not categorized some encrypted HTTPS traffic ... try to tick this In Application & Url Filtering Settings under Url Filtering -> Categorize HTTPS websites. else I think you need to enable HTTPS inspection for outbound,,

Re: Understanding url filtering app control on https sites...

Troy_Yeske — Tue, 23 Jul 2019 11:54:57 GMT

Thanks, I do have the categorize https sites check box enabled. Just wondering why the destination URL is identified in the logs, the site is categorized by CHKPT, yet it is still marked 'uncategorized'.

Re: Understanding url filtering app control on https sites...

Neil_ARZ — Tue, 23 Jul 2019 16:05:13 GMT

For me the last resort would be activating HTTPS inspection for Outbound.

HTTPS traffic was encrypted and Checkpoint was unable to categorized the sites because of it .

If https inspection is active with URL and App blade, I am sure it will have an effect on URL categorization. .

Re: Understanding url filtering app control on https sites...

PhoneBoy — Tue, 23 Jul 2019 23:22:43 GMT

Did you check that the gateway can reach the Check Point cloud?
sk83520 and/or https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/sk83520-how-to-check-connectivity-to-CP/td-p/31867

Re: Understanding url filtering app control on https sites...

Tal_Ben_Avraham — Wed, 24 Jul 2019 08:02:33 GMT

Hi Troy,

In your example below the domain you see in the log is by reverse lookup of the destination IP. It is not used for URL categorization.

For SSL traffic SNI (R80.30 and higher)/Certificate CN is used for URL categorization (in case HTTPS Categorization is enabled and SSL inspection is disabled).

We have tested this in our labs and traffic to oati.com is categorized as Buisness/Economy.

I suggest you retest it. If still an issue please open a ticket to support.

*The only scenario I can think of where we will not categorize according to SNI/CN is when certificate is invalid (or SNI is not part of certificate SAN).

Thanks,

Tal

Re: Understanding url filtering app control on https sites...

Troy_Yeske — Thu, 25 Jul 2019 14:12:54 GMT

Note: it was explained to me that the www.ciso.oati.com that shows up in the destination field is the result of a rdns query and we don't base categorization off that naturally, hence the 'uncategorized' categorization from URLF/App Control