topic Re: Application Control not enforced in General Topics

Application Control not enforced

Filip_Wennerhul — Tue, 26 Mar 2019 16:05:55 GMT

Hi,

Could someone shed some light in why the application control might be enforced in some ways but not in others.

* Version R80.10

* All sites are through HTTPS.

* SSL decryption is activated.

* All Sites are bypassed by SSL decryption

* Firewalls are not using probe Bypass (so the traffic should be inspected first?)

* All sites seem to be correctly categorized in the https log. (as a Custom application/Site with correct Url)

* The traffic is not hitting the firewall rules with said application (custom Site)

Why is the firewall not enforcing it when https inspection is detecting the correct site? (does it have to be inspected even though it can detect the application?)

Also Tried checkpoint ACST and created a signature for some of the sites using CN. These rules seem to hit the application rule some times and sometimes not.

What could be the cause of this? The https inspection is once again detecting and categorizing the application correctly every time but only stopping the traffic sometimes.

Best regards

Re: Application Control not enforced

PhoneBoy — Tue, 26 Mar 2019 17:40:51 GMT

Logs of accepted and dropped traffic may be helpful, along with screenshots of the rules referenced in the logs.

Also note that sometimes web applications can use different URLs, or even the same site may, at times, present different certificate CNs.
So it's possible more specific rules are required.

Re: Application Control not enforced

Filip_Wennerhul — Thu, 28 Mar 2019 09:58:21 GMT

All logs are with same source, user, destination, FW. Its within one minute from eachother.

1. Non working HTTPS session: resource is "test.filtered.com".

2. Working HTTPS session: resource is "test.filtered.com".

3. Non working firewall rule (This one doesnt has a session, Why?).

4. Working Firewall Rule. (this one has a session, Why?)

5. See this matches cleanup rule. (Non working)

6. See this matches the application rule. (working)

7. this is the Session of the owrking one. Application is made by ACST and it matches based on 2 scenarions "*.filtered.com" (wildcard cert) and "test.filtered.com" as common name. This is the same resource as mentioned in both https inspection logs and also the subject/CN when going to the Server and checking the cert provided.

Re: Application Control not enforced

Filip_Wennerhul — Fri, 12 Apr 2019 11:56:54 GMT

Bump. Does bypassing SSL inspection hamper recognization or should it work the same was as when inspected?

Re: Application Control not enforced

Filip_Wennerhul — Fri, 12 Apr 2019 12:38:52 GMT

How does Application and url filter work exactly. Do you have a good source thats collecting all the scenarios for when and how it filters.

HTTP traffic checks the URL from the GET/POST? True/False

HTTPS check the Certificate CN? True/False

Custom Site with "example.com" matches "www.example.com", "example.com" and "example.com/tes/b.htm" but not "mail.example.com" for HTTP? True /False

Custom Site with "example.com/tes/ff/" matches "example.com/tes/ff/", "example.com/tes/ff/b.htm" and "www.example.com/tes/ff/sce/tt/g.htm" but not "example.com" for HTTP? True /False

Custom site with "*.example.com" matches URLS(HTTP) and CN(Cert) for "mail.example.com" and "ftp.example.com/tes/b.htm" but not "example.com" or *.example.com?

Wildcard Cert does not work unless using ACST with adding "*.example.com" as CN? True/False

During a redirect site you must both add "example.com" and "newexamplesite.com" to the custom site? True/False

During a redirect site with a wildcard cert you must both add a custom site with "example.com" and using ACST adding "*.newexamplesite.com"? True/False

Do you know the answers to these questions or can point me to where i can find the answers to these? From what i have learned through SK and testing my opinion is that all of these are true. Have i understood it correct?