https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uncategorized-URL-Allowed-By-CheckPoint/m-p/122772#M17568 <P>Like I said, it may be that the traffic initially looks like something your rules allow for.<BR />This would require some additional troubleshooting and information.<BR />I'd probably start with this:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk92743" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk92743</A><BR />But I really recommend bringing this through the TAC.</P> Thu, 01 Jul 2021 22:15:28 GMT PhoneBoy 2021-07-01T22:15:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uncategorized-URL-Allowed-By-CheckPoint/m-p/122398#M17520 <P>Can someone tell me why the transfercarenacka.com URL / domain was allowed when we did not allow the "Uncategorized" category? We allow the "Computers / Internet" category which contabo.net matches, but you can see that transfercarenacka.com is uncategorized by URL filtering in the screenshot below. So why would it be allowed? Under Matched Rules, it shows that it matched our our whitelist rule which does NOT include the "Uncategorized" category.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CheckPoint URL Filtering - Uncategorized Allowed.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12351i0EB7FCF8B5D5B480/image-size/medium?v=v2&amp;px=400" role="button" title="CheckPoint URL Filtering - Uncategorized Allowed.png" alt="CheckPoint URL Filtering - Uncategorized Allowed.png" /></span></P> Mon, 28 Jun 2021 17:59:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uncategorized-URL-Allowed-By-CheckPoint/m-p/122398#M17520 B_P 2021-06-28T17:59:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uncategorized-URL-Allowed-By-CheckPoint/m-p/122421#M17526 <P>What is the precise rule allowing this traffic?<BR />Also what is the version/JHF level of the gateway?<BR />It may be the CN of the site certificate is allowed but you are not using a version that supports SNI verification.</P> Tue, 29 Jun 2021 03:04:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uncategorized-URL-Allowed-By-CheckPoint/m-p/122421#M17526 PhoneBoy 2021-06-29T03:04:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uncategorized-URL-Allowed-By-CheckPoint/m-p/122653#M17547 <BLOCKQUOTE><HR /><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;wrote:<BR /><P>What is the precise rule allowing this traffic?</P><HR /></BLOCKQUOTE><P>The Source is a bunch of different networks, the Destination is the "Internet" and the Services &amp; Application is a group containing various URL Categories.</P><BLOCKQUOTE><HR /><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;wrote:<BR /><P>Also what is the version/JHF level of the gateway?</P><HR /></BLOCKQUOTE><P>R80.40 JHF 118</P><BLOCKQUOTE><HR /><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;wrote:<BR /><P>It may be the CN of the site certificate is allowed but you are not using a version that supports SNI verification.</P><HR /></BLOCKQUOTE><P>The gateway already identified the website as an Uncategorized URL (as you can see in the picture above). Are you suggesting that the Firewall will ignore its own categorization?</P><P>BTW, we got the desired behavior by adding another rule directly above the original rule (as described above), but made the Services &amp; Application be Uncategorized and Action set to Drop. Which that absolutely should not have been necessary. The gateway was otherwise allowing stuff it should not have been. How can this be?</P> Thu, 01 Jul 2021 01:02:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uncategorized-URL-Allowed-By-CheckPoint/m-p/122653#M17547 B_P 2021-07-01T01:02:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uncategorized-URL-Allowed-By-CheckPoint/m-p/122658#M17549 <P>If your requirement is to drop web traffic to uncategorized sites, you may need an explicit rule to drop it.<BR />The reason why is that for&nbsp;Application Control/URL Filtering to work, traffic has to be permitted to pass from the specified source/destination/service ports.<BR />Only after some traffic has passed can traffic be properly classified, matched to the relevant rule, and the appropriate action applied.</P> <P>Note that identification is a continual process.<BR />A given flow can initially be allowed because it looks like an allowed application.<BR />Once it looks like an explicitly unallowed application, the flow will be dropped.</P> <P>If the connection terminates before an identification can occur, then the traffic will ultimately be allowed.<BR />That could be what's happening here, but I'd need to see the full log card, and/or do some additional troubleshooting that would likely be better done by the TAC versus in a public forum.</P> <P>Regardless, you're better off always including an explicit rule to drop uncategorized sites if that is part of your requirements.<BR />It generally doesn't take more than a few kilobytes of traffic to identify these connections.</P> Thu, 01 Jul 2021 02:53:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uncategorized-URL-Allowed-By-CheckPoint/m-p/122658#M17549 PhoneBoy 2021-07-01T02:53:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uncategorized-URL-Allowed-By-CheckPoint/m-p/122765#M17567 <BLOCKQUOTE><HR /><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;wrote:<BR /><P>Only after some traffic has passed can traffic be properly classified, matched to the relevant rule, and the appropriate action applied.</P><P>A given flow can initially be allowed because it looks like an allowed application.<BR />Once it looks like an explicitly unallowed application, the flow will be dropped.</P><HR /></BLOCKQUOTE><P>I'm aware of that, but if you sit there hitting refresh a bunch of times and other computers access the website as well, the firewall should know the site should be blocked, no? I've seen in the past where a website may load the first time, but subsequent hits will not; which I would be ok with that. But in this scenario, it just continually allowed it.</P><BLOCKQUOTE><HR /><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;wrote:<BR /><P>Regardless, you're better off always including an explicit rule to drop uncategorized sites if that is part of your requirements.</P><HR /></BLOCKQUOTE><P>If you do not allow something, it should not be allowed. If the firewall is allowing stuff it should not be, that is kind of a problem, no?</P> Thu, 01 Jul 2021 20:44:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uncategorized-URL-Allowed-By-CheckPoint/m-p/122765#M17567 B_P 2021-07-01T20:44:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uncategorized-URL-Allowed-By-CheckPoint/m-p/122772#M17568 <P>Like I said, it may be that the traffic initially looks like something your rules allow for.<BR />This would require some additional troubleshooting and information.<BR />I'd probably start with this:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk92743" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk92743</A><BR />But I really recommend bringing this through the TAC.</P> Thu, 01 Jul 2021 22:15:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Uncategorized-URL-Allowed-By-CheckPoint/m-p/122772#M17568 PhoneBoy 2021-07-01T22:15:28Z