https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-blocked-by-TP/m-p/197591#M36908 <P>Hello,</P> <P>Your recommendation is to make an exception policy in the TP section?</P> <P>Or is it to make a Bypass in the HTTPS Inspection section?</P> <P>Could you give me an example, please?</P> <P>Regards</P> Thu, 09 Nov 2023 13:01:51 GMT Matlu 2023-11-09T13:01:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-blocked-by-TP/m-p/197492#M36892 <P>Hello,</P> <P>I currently have HTTPS Inspection || AntiBot || Antivirus enabled, on my ClusterXL HA.</P> <P>The problem is that my local network cannot reach a URL that is on the Internet.</P> <P>What I see in the logs is that the traffic to the URL is "activating" the AntiBot blade.</P> <P>In the Cluster object in the SmartConsole, the Antibot&amp;Antivirus section is set to "Detect Only" mode, but there is a rule in TP where the associated profile is the "Optimized" profile.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TP3.png" style="width: 871px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/23128i699328257998F32A/image-size/large?v=v2&amp;px=999" role="button" title="TP3.png" alt="TP3.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TP2.png" style="width: 918px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/23129i668A1C2162E374A6/image-size/large?v=v2&amp;px=999" role="button" title="TP2.png" alt="TP2.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TP1.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/23130iB2C2C368E2EC14A2/image-size/large?v=v2&amp;px=999" role="button" title="TP1.png" alt="TP1.png" /></span></P> <P>So, can the Cluster block the traffic ignoring the "Detect Only", and take more "priority" to the rule defined in the TP?</P> <P>I share a log where you can see better the traffic that I expose.</P> <P>Thanks</P> Wed, 08 Nov 2023 19:14:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-blocked-by-TP/m-p/197492#M36892 Matlu 2023-11-08T19:14:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-blocked-by-TP/m-p/197516#M36896 <P>That attached log shows 'detect' action and a bunch of bytes tx and rx.&nbsp; Maybe the site is not compatible/getting broken by HTTPS inspection and it is not the threat policy directly dropping it?&nbsp; Could try to make a lower level exception/bypass of the threat policy, based on destination IP, to see if the site works solely with HTTPS inspection enabled.</P> Wed, 08 Nov 2023 22:08:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-blocked-by-TP/m-p/197516#M36896 Lloyd_Braun 2023-11-08T22:08:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-blocked-by-TP/m-p/197591#M36908 <P>Hello,</P> <P>Your recommendation is to make an exception policy in the TP section?</P> <P>Or is it to make a Bypass in the HTTPS Inspection section?</P> <P>Could you give me an example, please?</P> <P>Regards</P> Thu, 09 Nov 2023 13:01:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-blocked-by-TP/m-p/197591#M36908 Matlu 2023-11-09T13:01:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-blocked-by-TP/m-p/197597#M36911 <P>I was thinking a TP exception based on destination IP address, then if it is still broken, it would appear to be HTTPS inspection causing the issue.&nbsp; You could also do HTTPS inspection bypass based on destination IP- I would assume that would fix it, but that also would blind the TP blade so you wouldn't know 100% if it was TP or HTTPSi that was breaking it.&nbsp;</P> Thu, 09 Nov 2023 13:53:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-blocked-by-TP/m-p/197597#M36911 Lloyd_Braun 2023-11-09T13:53:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-blocked-by-TP/m-p/197598#M36912 <P>I have the impression, that it is the blade of the Antibot.</P> <P>I am not sure.</P> <P>The Cluster object, in the "Antibot/Antivirus" section is set to DETECT ONLY, but other than that, we have an explicit rule in the TP section, and I'm not sure, if the CLUSTER, omits its global setting in the object and gives more importance to what is "explicitly" defined by rules.</P> <P>The explicit TP rule has an OPTIMIZED profile, and that profile, as I see, has several "PREVENT" enabled.</P> <P>Maybe this could be the root-cause of the problem.</P> <P>I am not sure about this behavior.</P> Thu, 09 Nov 2023 13:59:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-blocked-by-TP/m-p/197598#M36912 Matlu 2023-11-09T13:59:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-blocked-by-TP/m-p/197599#M36913 <P>In your policy, detect is set for low confidence protections only. Why do you think that Anti-Bot is on detect only fully? Does not seem to be the case, if looking on the screenshot above. The log shows "High" confidence level, and it is set to Prevent</P> Thu, 09 Nov 2023 14:09:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-blocked-by-TP/m-p/197599#M36913 _Val_ 2023-11-09T14:09:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-blocked-by-TP/m-p/197601#M36914 <P>I would say making an exception is your best bet.</P> <P>Andy</P> Thu, 09 Nov 2023 14:36:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Traffic-blocked-by-TP/m-p/197601#M36914 the_rock 2023-11-09T14:36:11Z