topic Re: Usercheck acting weird in Firewall and Security Management

Usercheck acting weird

Moudar — Mon, 01 Jan 2024 14:47:58 GMT

On my lab I am trying to use usercheck alongside with HTTPS inspection:

Rule 11.2

When trying to connect to Cnn.com a notification comes up and everything is fine and work as expected.

When try to connect to Youtube or facebook i get "this site can't be reached"

when checking the logs i see that youtube and facebook are rejected for a reason that i don't know:

I don't know why rule 11.2 is rejecting youtube and facebook when the action is inform and cnn is working!

this is how HTTPS inspection is configured:

Re: Usercheck acting weird

Timothy_Hall — Mon, 01 Jan 2024 15:10:52 GMT

Your browser (probably Chrome) has pinned HTTPS certificates for popular sites such as facebook and definitely youtube which is a google-owed site. In these cases the browser itself will block the display of the UserCheck as a man-in-the-middle attack, which it most certainly is. Try a few different browsers.

Re: Usercheck acting weird

Moudar — Mon, 01 Jan 2024 15:23:03 GMT

What is the purpose of Userchek then, if Chrome (which is the most used browser) will block it?

Re: Usercheck acting weird

Timothy_Hall — Mon, 01 Jan 2024 21:57:48 GMT

Chrome will only block UserChecks for sites whose certificates are pinned in the browser, which will always include google-owned sites (youtube, google.com, etc) and key major sites like fakebook. Chrome is sensing what it perceives to be a man in the middle attack and blocking it, and there is no way to disable this that I know of.

The purpose of UserChecks is attempting to notify the user that their connection was blocked (it is not a connectivity/DNS problem), and provide a reference number they can use when trying to find the specific block event in the logs. However there are a variety of technical situations where a UserCheck cannot be sent to the user, or it is sent but the user cannot see it. You have run into one of those situations. Another example: any blocks/drops by the IPS blade will never send a UserCheck as IPS does not support that feature at all.

Re: Usercheck acting weird

the_rock — Mon, 01 Jan 2024 22:33:01 GMT

Make sure user check is enabled for all interfaces under gateway object properties (portal -> user check) and test. if same issue, try maybe resetting Chroms browser and see if same happens.

Happy New Year.

Best,

Andy

Re: Usercheck acting weird

Marcel_Gramalla — Tue, 02 Jan 2024 10:19:55 GMT

The issue in your policy is that Facebook and YouTube is not HTTPS inspected but bypassed as shown in your screenshot. This is because you use the "HTTPS services - bypass" object where Facebook is included (and bypassed). You can find all domains etc. in this SK HTTPS Inspection bypass list object (checkpoint.com)

And if your gateway doesn't inspect the traffic it can't display the UserCheck page and simply rejects the connection which is to be expected.

Re: Usercheck acting weird

the_rock — Tue, 02 Jan 2024 13:52:57 GMT

Thats an excellent point, did not see that from the screenshots the first time.

Best,

Andy