https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issue-on-matching-rules-after-upgrading-to-81-10/m-p/144937#M22605 <P>HTTPS Inspection is needed to do full threat prevention and content inspection on encrypted traffic.</P> <P>SNI is used to identify domains you are accessing without decrypting the connection.<BR />It can also be used to determine whether or not a connection requires full HTTPS Inspection (i.e. as part of a bypass rule).</P> Mon, 28 Mar 2022 23:51:32 GMT PhoneBoy 2022-03-28T23:51:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issue-on-matching-rules-after-upgrading-to-81-10/m-p/144755#M22573 <P>Hello guys,</P><P>after upgrading our gateways and secure management server to 81.10, there is suddenly a matching issue. I am attaching images.</P><P>Rules we working appropriate before the update. What are you proposing in this case? (images attached)</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="photo1.PNG" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15848iAF3FBEF91E65C3F6/image-size/medium?v=v2&amp;px=400" role="button" title="photo1.PNG" alt="photo1.PNG" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="photo2.PNG" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15849i5CEB872AC38A9F4D/image-size/medium?v=v2&amp;px=400" role="button" title="photo2.PNG" alt="photo2.PNG" /></span></P><P>&nbsp;</P><P>and in some cases I am seeing these:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="photo3.PNG" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15850i858966436D2ACC46/image-size/medium?v=v2&amp;px=400" role="button" title="photo3.PNG" alt="photo3.PNG" /></span></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="photo4.PNG" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15851iFE852320292F1049/image-size/medium?v=v2&amp;px=400" role="button" title="photo4.PNG" alt="photo4.PNG" /></span></P><P> </P><P>&nbsp;</P><DIV class="">&nbsp;</DIV><P>&nbsp;</P><P>  </P> Fri, 25 Mar 2022 05:09:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issue-on-matching-rules-after-upgrading-to-81-10/m-p/144755#M22573 Netadmin2020 2022-03-25T05:09:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issue-on-matching-rules-after-upgrading-to-81-10/m-p/144729#M22576 <P>after going to 81.10, I am experiencing a new issue. Suddenly the is a matching issue on many destinations.Images attached.</P><P>Rules were working appropriate on 80.40...</P><P>&nbsp;</P> Thu, 24 Mar 2022 22:21:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issue-on-matching-rules-after-upgrading-to-81-10/m-p/144729#M22576 Netadmin2020 2022-03-24T22:21:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issue-on-matching-rules-after-upgrading-to-81-10/m-p/144762#M22577 <P>I would suggest to contact TAC !</P> Fri, 25 Mar 2022 08:15:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issue-on-matching-rules-after-upgrading-to-81-10/m-p/144762#M22577 G_W_Albrecht 2022-03-25T08:15:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issue-on-matching-rules-after-upgrading-to-81-10/m-p/144789#M22583 <P>Those drops are probably:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk111643&amp;partition=Advanced&amp;product=Quantum" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk111643&amp;partition=Advanced&amp;product=Quantum</A><BR />The ones with HTTPS Inspection are probably related to the SNI probing we do to validate SNI (which can be spoofed).</P> Fri, 25 Mar 2022 13:03:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issue-on-matching-rules-after-upgrading-to-81-10/m-p/144789#M22583 PhoneBoy 2022-03-25T13:03:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issue-on-matching-rules-after-upgrading-to-81-10/m-p/144828#M22592 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/43654">@Netadmin2020</a>&nbsp;</P> <P>M name is&nbsp; Naama Specktor and I am checkpoint employee ,</P> <P>&nbsp;</P> <P>If you opened a TAC SR , I will appreciate it if you will share the number .</P> <P>&nbsp;</P> <P>thanks,</P> <P>&nbsp;</P> <P>Naama&nbsp;</P> Sun, 27 Mar 2022 07:24:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issue-on-matching-rules-after-upgrading-to-81-10/m-p/144828#M22592 Naama_Specktor 2022-03-27T07:24:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issue-on-matching-rules-after-upgrading-to-81-10/m-p/144829#M22593 <P>I have already inform our partner for the current issue. I am little bit confused about https inspection and sni.Which is the best practice?</P><P>I am on 81.10, your proposal is to apply https bypass to everything and leave the sni to do the job?</P><P>&nbsp;</P> Sun, 27 Mar 2022 07:53:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issue-on-matching-rules-after-upgrading-to-81-10/m-p/144829#M22593 Netadmin2020 2022-03-27T07:53:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issue-on-matching-rules-after-upgrading-to-81-10/m-p/144937#M22605 <P>HTTPS Inspection is needed to do full threat prevention and content inspection on encrypted traffic.</P> <P>SNI is used to identify domains you are accessing without decrypting the connection.<BR />It can also be used to determine whether or not a connection requires full HTTPS Inspection (i.e. as part of a bypass rule).</P> Mon, 28 Mar 2022 23:51:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Issue-on-matching-rules-after-upgrading-to-81-10/m-p/144937#M22605 PhoneBoy 2022-03-28T23:51:32Z