https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163544#M70308 <P>How so? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 29 Nov 2022 12:32:49 GMT the_rock 2022-11-29T12:32:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163466#M70302 <P>Hi,</P><P>Two questions:</P><P>1. Is URL Categorization based on SNI or "Application Name" (CN name ?) when the gateway is deciding on witch category destination falls in to?</P><P>2. Does the categorization not being done when destination has a untrusted certificate?</P><P>&nbsp;</P><P>Regards,</P><P>Anders Larsson</P> Tue, 29 Nov 2022 08:50:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163466#M70302 andersplarsson 2022-11-29T08:50:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163531#M70303 <P>In earlier release (pre-R80.30) only CN was used, now verified SNI is used when available.<BR />Part of the verification process is checking the cert provided by the remote server matches the SNI requested by the client.<BR />HTTPS Inspection actually requires the certificate be signed by a valid CA, not sure this is required merely for categorization.<BR />When this fails for HTTPS Inspection, there are definitely log messages.</P> Tue, 29 Nov 2022 11:23:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163531#M70303 PhoneBoy 2022-11-29T11:23:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163540#M70304 <P>I am pretty sure what phoneboy said is also done by any other major vendors that do https inspection, but thats the gist of it really.</P> Tue, 29 Nov 2022 11:58:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163540#M70304 the_rock 2022-11-29T11:58:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163541#M70305 <P>Thanks for the reply!</P><P>If HTTPS Inspection is not being used only URL-categorization, is there any change of how this is categorized for R81.10?</P> Tue, 29 Nov 2022 12:16:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163541#M70305 andersplarsson 2022-11-29T12:16:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163542#M70306 <P>That is not exactly true, I am afraid. I think you misunderstood what PH conveyed <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 29 Nov 2022 12:26:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163542#M70306 _Val_ 2022-11-29T12:26:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163543#M70307 <P>As&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;mentioned, with R80.40 and up, we are using a patented SNI validation. As part of it, we request a site certificate and make sure it is valid and corresponds to the rest of web request data: SNI and URL.<BR /><BR />The URL categorization is part of this process, and it is done via HTTPS even if you did not enable HTTPSi on your security GW.</P> Tue, 29 Nov 2022 12:28:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163543#M70307 _Val_ 2022-11-29T12:28:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163544#M70308 <P>How so? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 29 Nov 2022 12:32:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163544#M70308 the_rock 2022-11-29T12:32:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163545#M70309 <P>The main differentiator from the rest of the competitors is SNI validation. Instead of taking it for granted, we actually pull the server certificate and compare its details with the SNI data.</P> <P>This is, or at least was, unique for Check Point when R80.40 was out, and we filed a patent application for it.</P> <P>Hope this makes sense.</P> Tue, 29 Nov 2022 12:39:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163545#M70309 _Val_ 2022-11-29T12:39:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163547#M70310 <P>A kk, I see what you mean, makes sense. Though, Im pretty positive that Fortinet and PAN do it nowdays as well.</P> Tue, 29 Nov 2022 12:45:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163547#M70310 the_rock 2022-11-29T12:45:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163564#M70311 <P>So if the certificate is not trusted there is no categorization?&nbsp;</P><P>/Anders</P> Tue, 29 Nov 2022 14:27:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163564#M70311 andersplarsson 2022-11-29T14:27:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163567#M70312 <P>Actually, the change was introduced in R80.30 and backported to R80.20 JHF.<BR />I believe SNI Verification requires HTTPS Inspection to be enabled in R80.20 and R80.30, but it is not required in R80.40 and above.</P> Tue, 29 Nov 2022 14:35:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Categorization/m-p/163567#M70312 PhoneBoy 2022-11-29T14:35:38Z