topic Re: Can not surf to a website in Firewall and Security Management

Can not surf to a website

Moudar — Mon, 06 May 2024 14:16:22 GMT

when trying to surf to a specific website i get this error "ERR_EMPTY_RESPONSE" on all browsers.

When I open the same website from a private PC (no firewall) then it works with no problem.

All logs are "Accept" but still getting "ERR_EMPTY_RESPONSE" on browsers

What should I troubleshoot when seeing this: ERR_EMPTY_RESPONSE ?

Re: Can not surf to a website

the_rock — Mon, 06 May 2024 14:34:07 GMT

Can you share what site? Is there ssl inspection involved?

Andy

Re: Can not surf to a website

Moudar — Mon, 06 May 2024 14:44:15 GMT

matematikxyz.com

matematikabg.se

HTTPS is not used

Re: Can not surf to a website

the_rock — Mon, 06 May 2024 14:54:13 GMT

Just tried both in lab with ssl inspection and without and worked fine. Can you confirm what this is set to now? Not sure if you changed it or not...

Andy

Re: Can not surf to a website

Moudar — Mon, 06 May 2024 15:03:33 GMT

it is "Allow all requests" in my case

Re: Can not surf to a website

the_rock — Mon, 06 May 2024 15:07:57 GMT

K, fair enough. Did you make custom category to allow the sites?

Andy

Re: Can not surf to a website

Moudar — Mon, 06 May 2024 15:17:02 GMT

I did not tested to add it there!

Should I add it as an IP address or as FQDN like *.matematikxyz.com ?

Re: Can not surf to a website

the_rock — Mon, 06 May 2024 15:28:01 GMT

I would do both.

Andy

Re: Can not surf to a website

Moudar — Mon, 06 May 2024 15:34:46 GMT

I did both and did not get any hit on the rule!

i have also tested \/matematikxyz\.com and also no hit on the rule!

Re: Can not surf to a website

the_rock — Mon, 06 May 2024 15:39:37 GMT

I would add *matematikxyz* and 208.86.159.100

Andy

Re: Can not surf to a website

the_rock — Mon, 06 May 2024 15:54:17 GMT

One thing I found super useful with these issues is press F12 when going to the site, so it gives you developer browser tool, it may show you if its trying to reach something else as well.

Andy

Re: Can not surf to a website

Moudar — Mon, 06 May 2024 16:05:10 GMT

tried both and not get a hit!

Re: Can not surf to a website

Moudar — Mon, 06 May 2024 16:08:02 GMT

cannot find weird things there!

Re: Can not surf to a website

the_rock — Mon, 06 May 2024 16:14:17 GMT

If you filter logs for that destination IP, just do nslookup, make sure it resolved to same IP, what do you see?

Andy

Re: Can not surf to a website

PhoneBoy — Mon, 06 May 2024 17:40:23 GMT

Let's start with basic information like: Version and JHF level of gateway and maangement.
The exact rules used to allow the traffic (with custom service definitions shown).
What shows in the access logs when you attempt to access these sites (full log card, not just the line in the logs list).

Please provide screenshots where appropriate and redact sensitive details.

Re: Can not surf to a website

Moudar — Mon, 06 May 2024 17:46:37 GMT

I found this interesting thing on the log:

Product version Check Point Gaia R81.20
OS build 631
OS kernel version 3.10.0-1160.15.2cpx86_64
OS edition 64-bit

Re: Can not surf to a website

the_rock — Mon, 06 May 2024 17:48:10 GMT

That sk is essentially long way of telling you 3 way handshake is not completing...so doing fw monitor with -F flag would probably help.

Andy

Re: Can not surf to a website

Moudar — Mon, 06 May 2024 17:51:07 GMT

If the Access Rulebase does not reach a final match on accept, a log appears with a new unique rule specific for this case 'CPNotEnoughDataForRuleMatch' and accept action. !

Re: Can not surf to a website

Moudar — Mon, 06 May 2024 17:51:59 GMT

how would the exact command look like?

Re: Can not surf to a website

the_rock — Mon, 06 May 2024 17:55:28 GMT

Lets assume your PC ip is 10.10.10.10

Idea is this fw monitor -F "srcip,srcport,dstip,dstport,protocol" -F "other way around"

example:

fw monitor -F "10.10.10.10,0,208.86.159.100,443,0" -F "208.86.159.100,0,10.10.10.10,443,0"

As you can see, I left src port and protocol as 0

Just replace 10.10.10.10 with your actual internal IP

Andy