topic Re: Loss of a rule hit in AppCtrl-URLFltr... in General Topics

Loss of a rule hit in AppCtrl-URLFltr...

Lloyd_Barnett — Thu, 07 Dec 2017 17:28:41 GMT

anyone have a rule that just stops getting hits in the AppCtrl-URLFltr blade? I have hits for pornography/gambling categorization etcetera that have just stopped being blocked and are not logged as a block, obviously (domains categorized and verified) as when I test to some of these sites I have access/page loads...

anyone else see a rule just "drop"?

Re: Loss of a rule hit in AppCtrl-URLFltr...

Timothy_Hall — Thu, 07 Dec 2017 18:10:56 GMT

Do you have Website Categorization Mode set to "Hold" or "Background"? How many total filtered users do you have?

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Re: Loss of a rule hit in AppCtrl-URLFltr...

Lloyd_Barnett — Thu, 07 Dec 2017 20:07:07 GMT

Hi Tim,

Categorization is set to "background" and we don't do filtered users (presuming some kind of ID awareness?) but do hope to kluge that up too someday...

I did try throwing all six copies we have of your book at it, and it only knocked over the monitor...

Re: Loss of a rule hit in AppCtrl-URLFltr...

Daniel_Taney — Thu, 07 Dec 2017 21:34:40 GMT

Is there a chance that a more generic rule got placed above it in the AppCtrl policy that is now matching that traffic? If you look in SmartLog you should be able to see what App Control rule was matched when the traffic was allowed. Is that rule above the Drop / Block rule in question?

Re: Loss of a rule hit in AppCtrl-URLFltr...

Kurt_Lee — Thu, 07 Dec 2017 22:01:32 GMT

I believe I have the same situation.

I've noticed that all categories that have only 'url filtering' blade are without applications. I don't remember if this is indeed the correct behavior. I don't think so.

Does anyone know what that is about?

Re: Loss of a rule hit in AppCtrl-URLFltr...

Timothy_Hall — Thu, 07 Dec 2017 22:15:47 GMT

If the firewall's rad process is having problems you will see behavior like this (and slow initial page loads), can I assume you are running the latest GA Jumbo HFA for R77.30 or R80.10? This is extensively covered in second edition of my book, does cpwd_admin list show rad getting restarted? For R77.30 especially there were a lot of problems with rad fixed by the jumbo HFA.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Re: Loss of a rule hit in AppCtrl-URLFltr...

Timothy_Hall — Thu, 07 Dec 2017 22:18:04 GMT

Nope that's normal, that particular category is all about inappropriate content (not a specific application) which is what URL Filtering is for, not App control.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Re: Loss of a rule hit in AppCtrl-URLFltr...

Kurt_Lee — Fri, 08 Dec 2017 00:06:11 GMT

Thanks for your answer!

Re: Loss of a rule hit in AppCtrl-URLFltr...

Lloyd_Barnett — Tue, 12 Dec 2017 15:17:24 GMT

Hi Tim,

RAD is running -as other rules are getting hit, just these (2) particular rules refuse to uphold the law. I stopped and restarted RAD just for kicks and giggles, I also did by alternating "fail-open" and "fail-safe" and no changes there. As for rules, we've removed and then added and moved but no change. No rules catch it above -I even pushed to the top. A couple of items missed Tim, you reminded me to have conveyed.

Management R77.20

Gateways R77.30 JHF (take 286)

Re: Loss of a rule hit in AppCtrl-URLFltr...

Timothy_Hall — Tue, 12 Dec 2017 17:38:47 GMT

Um, isn't it not supported to have the SMS be an older minor release than that gateway? There weren't too many changes to APCL/URLF policies from R77.20 to R77.30 but that seems odd.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Re: Loss of a rule hit in AppCtrl-URLFltr...

Lloyd_Barnett — Tue, 20 Feb 2018 03:17:01 GMT

Hi Tim,

I thought this changed in R77x where you can "manage up" from Manager to Gateway.

It appears the issue has something to do with -and I'm gonna write this out with some skepticism, you'll just have to take it as gospel:

(domains).checkpoint.com changed IPs at some point
our implied rule to allow access to said domains was pushed down in the order of implied rules
- this is due to us running traditional VPN (??? -I'm gonna have to research the "how and why" on that one)
rejection of the site's access and intermittent updating this crippled for some odd reason JUST these two rules

...I also believe there was a third gunman, does that seem to jive (I at least get the issue of not getting updates)?

LDB