topic Re: Not Inspected Traffic in General Topics

Not Inspected Traffic

Matlu — Fri, 14 Jul 2023 15:14:23 GMT

Hello, everyone,

We are in the process of implementing the IA+APPC&URLF+HTTPS Inspection... blades.

So far everything seems to be going "fine".

We are using the IDC for the iA blade.

We are working with separate layers (1 Firewall layer, 1 APPC+URLF layer).

The rules are working fine so far, but there are some "alerts".

We are blocking access to "Social Networking" for a group of users.

The rule is working, but there is some traffic, such as consumption of the Facebook page, which is not blocked and is allowed to pass.

We are using a self-signed certificate, which is already deployed to the users by GPO.

When a user consumes Facebook via web, the page does open (and this should not happen).

I get the "untrusted site" message from the page, and when I check the certificate, I don't see our certificate, I see the public certificate.

This behavior is happening on some pages, not all.

Do you know what steps can be followed in this scenario, to get pages like Facebook blocked?

Thanks for your help.

Re: Not Inspected Traffic

Chris_Atkinson — Fri, 14 Jul 2023 16:11:31 GMT

Are you using Google Chrome to test or are multiple browsers affected?

Is Quic traffic blocked or allowed in the environment?

Re: Not Inspected Traffic

Matlu — Fri, 14 Jul 2023 16:29:29 GMT

Hello,

I had not read about "QUIC Traffic", until now.

Where can I validate that?

We have tested in 3 browsers, Chrome, Edge, Mozilla.

They are only for "certain" pages.
Facebook web, is one of them.
The rest of the pages, if it is blocking them by the rule created.

Greetings.

Re: Not Inspected Traffic

the_rock — Fri, 14 Jul 2023 17:39:45 GMT

There is built in quic application in R81.20 you can use (not sure lower versions). If not, you can do below:

https://support.checkpoint.com/results/sk/sk111754

Also, I attached how I have it set in my lab. Its only appc+urlf blade in that layer.

Andy

Re: Not Inspected Traffic

Matlu — Fri, 14 Jul 2023 17:48:36 GMT

Hey, bro

I have version R81.10 in production.

I'm going to check the SK.

The weird thing is that it only happens for certain "web pages".

The rest of the pages are being inspected and blocked according to our policies.

We have the layers separated (as you can see in the following image)

Cheers. 🙂

Re: Not Inspected Traffic

PhoneBoy — Fri, 14 Jul 2023 22:44:38 GMT

QUIC traffic is not categorized by Check Point.
There needs to be an explicit rule blocking this service in the Access Policy.

Re: Not Inspected Traffic

Matlu — Fri, 14 Jul 2023 23:02:08 GMT

Hello, PhoneBoy.

You would have to create an explicit rule in the Firewall layer, denying the "UDP/443" service, which I understand is what the QUIC uses, and also create an explicit rule in the APPC+URLF layer, is this correct?

Or is it enough just to create the drop rule in the Firewall layer?

Thank you.

Re: Not Inspected Traffic

the_rock — Fri, 14 Jul 2023 23:05:44 GMT

Fw layer is good bro. Idea is this...whatever is dropped on first layer, there is no more checks. Whatever is accepted on fw layer, it has to be accepted on all additional layers.

Andy

Re: Not Inspected Traffic

Matlu — Fri, 14 Jul 2023 23:10:31 GMT

Haaa, Ok.

So, I can define an explicit rule only in the Firewall layer, something like this:

Source: Any
Destination: Any
Service: QUIC (UDP/443)
Action: DROP

With this explicit rule, it would be enough for me to block the famous "QUIC", right?

Re: Not Inspected Traffic

the_rock — Fri, 14 Jul 2023 23:23:10 GMT

Yes sir 🙂

Re: Not Inspected Traffic

Matlu — Sat, 15 Jul 2023 00:17:10 GMT

I will test the recommendation in the work window, because it is very rare that only for certain pages, it does not apply the block filter for web pages.

Re: Not Inspected Traffic

Chris_Atkinson — Sat, 15 Jul 2023 03:26:21 GMT

Are you able to provide a screenshot of the log card showing that the traffic was allowed?

(Please redact sensitive information).