topic Re: URLF, does not block in Firewall and Security Management

URLF, does not block

Matlu — Tue, 08 Jul 2025 16:08:33 GMT

Hello, community.

I have URLF and APPC blades active in my FW CP.

The detail is that certain traffics are not blocked, when in fact they should be blocked, according to the explicit rule created in the FW.

For example, the domains thisisgore.com and bestgore.fun, are inside an "Application/Site" added in the URL List part, as independent entries, here I put the example.

*.bestgore.fun
bestgore.fun
thisisgore.com
*.thisisgore.com

The detail is that my rule says, that the segment x.x.132.0/24 when it tries to reach that destination, it must be "blocked", but really it is not blocked, because the segment can reach those resources.

Below I have an almost free rule, that allows that same segment to reach the Internet in general, but this should not happen.

I don't have HTTPS Inspection enabled in FW, and I have a rule at the top of my rule base, where I block QUIC for all my private segments.

Is there any way to debug for web traffic?
Is it necessary to enable HTTPS Inspection when working with URLF and APPC?

Thanks for your comments.

Re: URLF, does not block

PhoneBoy — Tue, 08 Jul 2025 17:40:41 GMT

It's not strictly necessary, but it is becoming increasingly more difficult to see where HTTPS traffic is going without using HTTPS Inspection.

What version/JHF are we talking about here?
Using Extended logging on the relevant rules is a good starting point for debugging, which will help determine how the gateway "sees" the traffic.

Re: URLF, does not block

Matlu — Tue, 08 Jul 2025 18:57:03 GMT

I have the R82 version with JHF Take 19.

Is it normal that when in the log browser you put the domain “thisisgore.com” nothing appears in the logs, but if I search by the IP that resolves that domain, if I find traffic related to that IP?

This is because of a bad definition in the FW rule with the URL Filtering profile?

Thanks for your comments

Re: URLF, does not block

PhoneBoy — Tue, 08 Jul 2025 19:24:52 GMT

Not every field in the logs is indexed (meaning, you cannot find it by search), so that may be expected.
Seeing the actual rules used to "allow" the traffic and the actual log entries generated (full log cards) will help.

Re: URLF, does not block

the_rock — Tue, 08 Jul 2025 19:25:33 GMT

You dont have to enable ssl inspection, but without it, you might be limited as far as things you can do with url filtering.

Andy

Re: URLF, does not block

Lesley — Tue, 08 Jul 2025 19:33:27 GMT

Is Categorized HTTPS Sites option enabled in Smart Console?

This the bare minimum that should be enabled.

https://support.checkpoint.com/results/sk/sk182318

Re: URLF, does not block

Matlu — Tue, 08 Jul 2025 20:09:08 GMT

Hello

Is this option necessary to enable it?

I have made an additional block, where I focus on blocking the category to which the domain thisisgore.com belongs (Tasteless, Low Risk), but the traffic is still allowed and should not be so

I have one rule explicitly blocking the domain, and the other new rule blocking the category but the traffic does not match these rules and goes to my most allowable rule which is almost at the end of my rule base

We don't have control over all users so enabling HTTPS Inspection is not a viable option now.

Thanks for the feedback

Re: URLF, does not block

the_rock — Tue, 08 Jul 2025 20:59:53 GMT

Hey bro,

It might help, but again, without ssl inspection, you will not get all the benefits.

Andy

Re: URLF, does not block

Chris_Atkinson — Wed, 09 Jul 2025 06:49:55 GMT

What level of logging is set in the track field for the matching rule is it detailed or extended?

sk120536: Application Control or URL Filtering does not produce logs in Logs & Monitor view

Re: URLF, does not block

the_rock — Wed, 09 Jul 2025 12:40:05 GMT

Great point Chris, extended logging definitely helps.

Andy

Re: URLF, does not block

Lesley — Wed, 09 Jul 2025 12:48:21 GMT

Yes, you either pick full HTTPS inspection OR Categorized HTTPS Sites option

Or you enable both

Start to enable Categorized HTTPS Sites option , no changes are needed on users for this. It checks the certificate without full decryption

Re: URLF, does not block

Matlu — Wed, 09 Jul 2025 13:34:48 GMT

Currently I have the logs related to URL in Detailed mode.

If I put it in ‘Extended’ mode, can it stay this way permanently? Or is there any risk of high resource consumption?

Thanks

Re: URLF, does not block

PhoneBoy — Thu, 10 Jul 2025 17:32:16 GMT

The option to log something Detailed/Extended is just like any option in a rule: it'll stay configured that way until you change it.
Extended logging only makes sense if the traffic is subject to HTTPS Inspection, which is the only way to see the full URL.
Otherwise, thinking about it, not sure Extended logging makes any sense here.

However, there are some improvements to HTTPS Inspection logging (relevant here, even if you're not actually using it) in later JHFs that might be worth considering.