topic Re: url filtering categorization problem in Firewall and Security Management

url filtering categorization problem

yannick_scorza — Wed, 05 Jul 2023 17:48:15 GMT

Hello,

I'm in R81.10

currently I have a rule in source "any" and destination "any" which matches url-category "spyware/malware" , action "drop" and extended log.

below this rule I have another old rule that matches manually entered domains, source "any", destination: object group with many domains objets inside, action "drop" and extended logs

The objective of the creation of the first rule is to delete the rule below and its 300 objects and only rely on the URL categories for drop.

the problem is that I see that some domains are detected by the second rule and not by the first. when I check one of these domains on https://urlcat.checkpoint.com/urlcat/main.htm I note that the domain is considered as spyware and should therefore be detected by the first rule.

However, the first rule works. some other domains considered spyware are well detected, a session log is present and defines the risk and the category.

I specify that I have defined the url category mentioned above in "any protocol" in general parameters of the category

exemple for domain "backupsec.com" :

it is considered as Spyware / Malicious Sites, General and High Risk on Checkpoint website but it still goes through the second rule because it exists as a "domain" object.

the connection log of the second rule indicates the destination ip and at the very bottom of the log detail it is indicated that this refers to the domain backupsec.com

Since the firewall detects the domain and makes the ip relation, I do not understand why, given that this domain is considered as spyware it is not detected by the first rule.

thanks for your help

Re: url filtering categorization problem

_Val_ — Sat, 08 Jul 2023 08:36:28 GMT

Do you have HTTPS Inspection enabled? If not, TLS connections will not be categorized.

Re: url filtering categorization problem

yannick_scorza — Mon, 10 Jul 2023 06:11:12 GMT

Hi,

i don't have HTTPS Inspection enabled but HTTPS Categorization it is.

I think i solved the problem.

in reality the user tries to join a website other than "backupsec.com", however he has the same ip because he is hosted on a cluster which shares his ip for several websites. As the "backupsec.com" domain is registered as an object in the console, a DNS resolution is made by the firewall and it gives as result the domain that matches the ip encountered. This makes it a false positive.
To summarize, the user has never tried to join "backupsec.com" but the firewall matches the connection because the ip is identical because it is shared.

at least that's what I deduce after analysis