topic Re: Security policy inconsistently applied when using Proxy in General Topics

Security policy inconsistently applied when using Proxy

David_Herselman — Wed, 12 Sep 2018 21:06:20 GMT

We have an application layer which allows access to TeamViewer for members of an AD security group:

Everything works perfectly, in that users that are members of this security group can use both the TeamViewer application and navigate to www.teamviewer.com whilst others can't.

If we however then configure an explicit proxy, the application continues to work but members of this security group can no longer navigate to www.teamviewer.com.

Am I missing something or should I log this with TAC?

Re: Security policy inconsistently applied when using Proxy

Danny — Wed, 12 Sep 2018 21:46:35 GMT

The Teamviewer application will always try to find ways through your network to successfully reach the internet.

To identify users behind a proxy to the firewall, the proxy must be configured to add the X-Forwarded-For (XFF) flag to the connections. Only then the rule can match as the user identification succeeds. Check Point can delete the XFF flag within the IA settings of your gateway object.

Re: Security policy inconsistently applied when using Proxy

David_Herselman — Wed, 12 Sep 2018 22:02:19 GMT

The opposite is however true, users that are members of the AD security group are NOT able to access the www.teamviewer.com website whilst they can use the application. Reviewing log records for the rule correctly matches against packets from the application but requests for the website are blocked on a subsequent rule which denies access using the 'Remote Administration' categorisation.

Disabling the explicit proxy and sending traffic directly results in everything working as it should, users that are members of the security group can use the application and browse to the www.teamviewer.com website.

ie: Browsing to www.teamviewer.com, when configuring the browser to send connections DIRECTLY to the security gateway's proxy port, does not match the 'TeamViewer' application in a policy rule whilst it does when one disables the proxy settings in the browser.

Re: Security policy inconsistently applied when using Proxy

Danny — Wed, 12 Sep 2018 22:10:10 GMT

I don't see a custom web application for the website www.teamviewer.com in your rule.

Re: Security policy inconsistently applied when using Proxy

David_Herselman — Thu, 13 Sep 2018 07:03:09 GMT

I'm not aware of a requirement to specifically list sites when using the proxy interface on a Check Point security gateway.

If I do not configure the security gateway as an explicit proxy and navigate to www.teamviewer.com via a web browser the site is correctly associated with the rule:

If all I subsequently do is point the browser directly at the Check Point security gateway's proxy interface, browsing sessions to www.teamviewer.com are not matched by the rule that references the TeamViewer application. Herewith the log record from the subsequent rule which blocks Remote Administration category for everyone else in the network:

PS: We've been using Squid for 20+ years and are used to referencing a proxy on port 3128. We subsequently configured the Check Point Security Gateway to listen on this port as well. There are NO intermediary proxy servers between the browser and the security gateway.