https://community.checkpoint.com/t5/Firewall-and-Security-Management/AppControl-URLF-Rules-and-classification/m-p/253581#M49690 <P>If the issue is reproducible I&nbsp;would suggest reviewing further with TAC.</P> <P>Note for awareness Take 99 lists the following:</P> <P>PRJ-56812 -&nbsp;Application Control - An application may not be matched to an Application Control rule.</P> Mon, 21 Jul 2025 13:18:18 GMT Chris_Atkinson 2025-07-21T13:18:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AppControl-URLF-Rules-and-classification/m-p/253511#M49686 <P>Hi all,</P><P>Scenario:&nbsp;</P><OL><LI>Smart-1 Cloud (R82)</LI><LI>Cloudguard Network Security (R81.20) HA (Azure)</LI><LI>Perimeter fw in Hub VNET.&nbsp;</LI><LI>URLF and AppControl blades enabled</LI><LI>And enabled in the policy</LI><LI>Inline layers configured for web browsing (any traffic; common web ports)</LI><LI>I have enabled categorise HTTPS traffic by SNI&nbsp;</LI></OL><P>I have been turning on URLF and AppControl and doing some testing on it. I created a very simple policy using inline layers</P><UL><LI>sub-layer 1: Allow categories Very Low Risk, Low Risk, Medium Risk</LI><LI>sub-layer 2: Block categories High Risk, Critical Risk, Unknown Risk</LI><LI>sub-layer 3: Clean-up.</LI></UL><P>We found a High Risk (4) application in the logs but it is being allowed by the sub-layer 1 despite being a High Risk application.&nbsp;</P><P>The application definition says you need to apply HTTPS Inspection but the it is being properly categorised without HTTPS Inspection being applied yet is being caught by sub-layer 1.&nbsp;</P><P>Is this expected behaviour? Any other thoughts on how to resolve this?</P><P>I want to keep HTTPS Inspection to a minimum.&nbsp;</P> Sun, 20 Jul 2025 13:11:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AppControl-URLF-Rules-and-classification/m-p/253511#M49686 wanartisan 2025-07-20T13:11:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AppControl-URLF-Rules-and-classification/m-p/253512#M49687 <P>Categorisation set for background or hold?</P> <P>Are you able to share the example application?</P> <P>R81.20 Jumbo T65 or higher?</P> <P>Is QUIC traffic blocked in the environment?</P> Sun, 20 Jul 2025 14:09:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AppControl-URLF-Rules-and-classification/m-p/253512#M49687 Chris_Atkinson 2025-07-20T14:09:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AppControl-URLF-Rules-and-classification/m-p/253518#M49688 <P>All excellent questions by Chris. Apart from that, can you send the relevant log? Please blur out any sensitive data. I can tell you from my experience, below is what I found works best.</P> <P>Andy</P> <P><A href="https://community.checkpoint.com/t5/General-Topics/https-inspection-tip-feedback-suggestion/m-p/253038#M42425" target="_blank">https://community.checkpoint.com/t5/General-Topics/https-inspection-tip-feedback-suggestion/m-p/253038#M42425</A></P> Sun, 20 Jul 2025 18:02:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AppControl-URLF-Rules-and-classification/m-p/253518#M49688 the_rock 2025-07-20T18:02:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AppControl-URLF-Rules-and-classification/m-p/253524#M49689 <P>Hi Chris,</P><P>We're on Take 98 and QUIC is blocked.</P><P>I think I have found the reason for the Allow in the Matched Rules part of the log - it is classed as Medium risk. So why is a High risk app matching as Medium?&nbsp;&nbsp;</P><P>I can attached the sub-layers and log output.&nbsp;</P> Mon, 21 Jul 2025 07:42:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AppControl-URLF-Rules-and-classification/m-p/253524#M49689 wanartisan 2025-07-21T07:42:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AppControl-URLF-Rules-and-classification/m-p/253581#M49690 <P>If the issue is reproducible I&nbsp;would suggest reviewing further with TAC.</P> <P>Note for awareness Take 99 lists the following:</P> <P>PRJ-56812 -&nbsp;Application Control - An application may not be matched to an Application Control rule.</P> Mon, 21 Jul 2025 13:18:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AppControl-URLF-Rules-and-classification/m-p/253581#M49690 Chris_Atkinson 2025-07-21T13:18:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AppControl-URLF-Rules-and-classification/m-p/253600#M49691 <P>Thanks Chris,</P><P>Could be that, I guess. I've scheduled and update to T05. Will report back.&nbsp;</P> Mon, 21 Jul 2025 17:01:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AppControl-URLF-Rules-and-classification/m-p/253600#M49691 wanartisan 2025-07-21T17:01:59Z