https://community.checkpoint.com/t5/Firewall-and-Security-Management/Acessing-URL-matched-and-DROP-with-different-rule-Logs-showing/m-p/155175#M26428 <P>Honestly, if I were in your situation, best thing I would look for is logs in smart dashboard and also maybe search for keywords in messages files...so for example, if you are wondering about specific site, say <A href="http://www.cnn.com" target="_blank">www.cnn.com</A>&nbsp;(just as an example), you could do something like this from gateway master member (if its a cluster)</P> <P>grep -i cnn /var/log/messages*</P> <P>Andy</P> Wed, 17 Aug 2022 21:17:45 GMT the_rock 2022-08-17T21:17:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Acessing-URL-matched-and-DROP-with-different-rule-Logs-showing/m-p/155115#M26424 <P>Hi Team,</P><P>We are accessing a&nbsp;genuine URL but its DROP by matching a drop rule.</P><P>We check the logs and find out that its showing destination as a as accessing URL but also a additional domain address "<STRONG>workisboring.com</STRONG>".</P><P>For&nbsp;<STRONG>workisboring.com </STRONG>we already created a DROP rule for this which matched in our case for intial 5 to 10 min for 1st time access and then its matched the accept rule and able to access the URL and then again we checked the logs find out that its matched the accept rule but this time we have not saw the additinal&nbsp;<STRONG>workisboring.com </STRONG>because now its matched on different rule.</P><P><STRONG>Let me knnown Team what is the issue that time?</STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PHOTO-2022-08-17-10-12-34.jpg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/17446i102FEF190574C7A1/image-size/large?v=v2&amp;px=999" role="button" title="PHOTO-2022-08-17-10-12-34.jpg" alt="PHOTO-2022-08-17-10-12-34.jpg" /></span></P> Wed, 17 Aug 2022 07:46:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Acessing-URL-matched-and-DROP-with-different-rule-Logs-showing/m-p/155115#M26424 Bulu_N 2022-08-17T07:46:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Acessing-URL-matched-and-DROP-with-different-rule-Logs-showing/m-p/155130#M26425 <P>What precise rule is it matching on?<BR />What precise rule do you believe it should be matching on?<BR />Is HTTPS Inspection being used?<BR />What version/JHF?</P> Wed, 17 Aug 2022 14:06:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Acessing-URL-matched-and-DROP-with-different-rule-Logs-showing/m-p/155130#M26425 PhoneBoy 2022-08-17T14:06:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Acessing-URL-matched-and-DROP-with-different-rule-Logs-showing/m-p/155134#M26426 <P>Here are my questions...</P> <P>1) What rule is it dropped on?</P> <P>2) Are you using ORDERED or INLINE layer for URL filtering?</P> <P>3) Did this ever work before?</P> <P>Andy</P> Wed, 17 Aug 2022 14:15:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Acessing-URL-matched-and-DROP-with-different-rule-Logs-showing/m-p/155134#M26426 the_rock 2022-08-17T14:15:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Acessing-URL-matched-and-DROP-with-different-rule-Logs-showing/m-p/155169#M26427 <P><STRONG>Hi&nbsp;Andy,</STRONG></P><P>Thank you so much for the response.</P><P>Here are my Answers :&nbsp;</P><P>1) What rule is it dropped on?</P><P><STRONG>Rule number is 3 and 4 which is we using for block the incoming and outgoing connection towards black</STRONG><STRONG>list IP address&nbsp;</STRONG></P><P><STRONG>we mentioned sources as ANY and destination as blacklisted </STRONG>&nbsp;<STRONG>on</STRONG>&nbsp;<STRONG>rule number 3 which we are multiple Blacklisted IP address as well as domain address also &nbsp;rule 4 for outgoing source will be Black listed IP address.</STRONG></P><P>2) Are you using ORDERED or INLINE layer for URL filtering?</P><P>&nbsp;<STRONG>ORDERED</STRONG></P><P>3) Did this ever work before?</P><P><STRONG>Yes its working fine before but after upgrading to R81.10 we face this kind of issue&nbsp;</STRONG></P><P><STRONG>so during the firs time only we face this issue for few minutes and then it’s automatically working fine and till 3 days gone we haven’t see the access issue.</STRONG></P><P><STRONG>I Need a RCA for this pls help</STRONG></P> Wed, 17 Aug 2022 20:05:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Acessing-URL-matched-and-DROP-with-different-rule-Logs-showing/m-p/155169#M26427 Bulu_N 2022-08-17T20:05:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Acessing-URL-matched-and-DROP-with-different-rule-Logs-showing/m-p/155175#M26428 <P>Honestly, if I were in your situation, best thing I would look for is logs in smart dashboard and also maybe search for keywords in messages files...so for example, if you are wondering about specific site, say <A href="http://www.cnn.com" target="_blank">www.cnn.com</A>&nbsp;(just as an example), you could do something like this from gateway master member (if its a cluster)</P> <P>grep -i cnn /var/log/messages*</P> <P>Andy</P> Wed, 17 Aug 2022 21:17:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Acessing-URL-matched-and-DROP-with-different-rule-Logs-showing/m-p/155175#M26428 the_rock 2022-08-17T21:17:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Acessing-URL-matched-and-DROP-with-different-rule-Logs-showing/m-p/155225#M26429 <P>If you need a formal RCA, please open a TAC case.</P> <P>That said, it's pretty obvious there is something in the traffic that causes it to be classified differently at different points of time.<BR />As we are continually analyzing traffic flows, this is normal.<BR />Packet captures of the relevant traffic are likely required to understand what's happening and why.<BR />There are likely other debugs necessary here that the TAC can advise you on.</P> Thu, 18 Aug 2022 15:19:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Acessing-URL-matched-and-DROP-with-different-rule-Logs-showing/m-p/155225#M26429 PhoneBoy 2022-08-18T15:19:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Acessing-URL-matched-and-DROP-with-different-rule-Logs-showing/m-p/155234#M26430 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/52830">@Bulu_N</a>&nbsp;...I agree with&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;and his last response. Those are all GREAT points, so TAC case would probably be best in your case.</P> <P>Andy</P> Thu, 18 Aug 2022 16:41:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Acessing-URL-matched-and-DROP-with-different-rule-Logs-showing/m-p/155234#M26430 the_rock 2022-08-18T16:41:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Acessing-URL-matched-and-DROP-with-different-rule-Logs-showing/m-p/155354#M26431 <P>Manage and settings / blades / application control And URL filtering / advanced settings / general / Fail mode<BR />is it set to fail-open or fail-closed ?</P> <P>&nbsp;</P> <P>if its failed-closed I would check var/log/messages for the same time as you saw drops for any indication of errors.</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 22 Aug 2022 02:29:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Acessing-URL-matched-and-DROP-with-different-rule-Logs-showing/m-p/155354#M26431 Ryan_Ryan 2022-08-22T02:29:06Z