topic Re: URL Filtering Issue via VPN in SASE and Remote Access

URL Filtering Issue via VPN

Zee — Wed, 18 Jun 2025 12:36:45 GMT

Hi,
I was testing Web/URL Filter on test firewall but the response is very random in terms of website getting blocked. I am not using Https inspection for now as I wanted to make a use case without enabling Https inspection and if it can get the job done, then it will save a lot of hassle. Currently, I am testing in a setup where my test machine is connected to production firewall and traffic is routed via VPN to my test firewall where I am currently testing. I have used almost all regex syntax that I could find and I can see dropped packets but the website still gives a random response i.e. it gets blocked but it works as well randomly. This is the session which is accepting the traffic with akamai destination but test website shows some blocked sessions. Let me know if I can find related issue resolution before further troubleshooting as I am new to checkpoint and still exploring. I think VPN decryption is overriding HTTPS inspection behavior but I am a bit confused about the solution.
One side note, if I use pre configured checkpoint applications like Facebook, I dont see this issue but when I block some https website for example nayatel.com or yahoo.com, I see these VPN decrypted packets in logs and yahoo does not blocked and ignored the configured rule for it. My test firewall is R81.10 Jumbo Hotfix Take 130 as it was not being used previously for testing. I am basically confused about attached packet and want to take advice if this is what causing the issue or it could be something else. Thank You.

Re: URL Filtering Issue via VPN

Chris_Atkinson — Wed, 18 Jun 2025 13:18:43 GMT

I would upgrade to at least JHF T150 to conduct any meaningful testing, please refer:

https://support.checkpoint.com/results/sk/sk182318

Re: URL Filtering Issue via VPN

Zee — Wed, 18 Jun 2025 13:16:04 GMT

Yes, I am going to upgrade it to T174 today and will test again, but just wanted to ask if its a known query or not in the meanwhile.

Re: URL Filtering Issue via VPN

Zee — Wed, 18 Jun 2025 14:09:53 GMT

Apparently, upgradation has resolved the issue but I will test it for sometime. I would still love to know the root cause of this for my own learning, if possible. Moreover, is there any way to show a block page without enabling HTTPs inspection. As I am thinking of a substitute of Cisco Umbrella DNS security, so I am asking this in that context. Thank You.

https://community.checkpoint.com/t5/General-Topics/Check-Point-vs-Cisco-Umbrella/m-p/250374#M41852

Re: URL Filtering Issue via VPN

Timothy_Hall — Wed, 18 Jun 2025 15:05:13 GMT

"Categorize HTTPS Sites" has very limited capabilities in lieu of full HTTPS Inspection. Filtering may not always be accurate as all it has to work with is the SNI prior to encryption. There are many ways around this which explains why randomly some sites are blocked and others aren't, and unless you turn on full HTTPS Inspection UserChecks simply cannot work as the browser will block them as a downgrade redirection attack from HTTPS to HTTP. This is proper behavior by the browser, and a classic attack vector even though we "the good guys" are trying to display a UserCheck.

Re: URL Filtering Issue via VPN

PhoneBoy — Wed, 18 Jun 2025 21:55:43 GMT

Are you also EXPLICITLY blocking QUIC traffic?
Web browsers use this by default where the server supports it and we cannot perform web filtering on it until R82.
Also, the reports from customers suggest R82 is better at identifying sites without HTTPS Inspection than prior releases.

Re: URL Filtering Issue via VPN

the_rock — Thu, 19 Jun 2025 00:35:41 GMT

I dont believe there is any way to show block page without ssl inspection on. if you think about, in simple terms, without inspection enabled, there is nothing for firewall to intercept, if you will, so all users would see if message "page cant be displayed" or page is reset, something along those lines.

Andy

Re: URL Filtering Issue via VPN

Zee — Fri, 20 Jun 2025 12:29:07 GMT

Yes, I understand. Its just this is what I have to work around somehow as I have to enable Https Inspection and install the certificate on every client as Cisco is currently doing that and its cisco secure client is already across whole environment.

Re: URL Filtering Issue via VPN

Zee — Fri, 20 Jun 2025 12:31:03 GMT

Hi, No I did not block QUIC traffic explicitly. but after JHF upgrade it somehow fixed it for now. I just wanted to learn for my understanding that why it was happing and why there were attached sessions.

Re: URL Filtering Issue via VPN

the_rock — Fri, 20 Jun 2025 12:32:36 GMT

If you enable https inspection, then it will work as intended, 100%.

Andy

Re: URL Filtering Issue via VPN

the_rock — Fri, 20 Jun 2025 12:44:45 GMT

Btw, if you need me to test anything, happy to do it. Working on harmony sase stuff today, but I can definitely check this, not an issue. I have fully working R81.20 and R82 ssl inspection labs running.

Andy

Re: URL Filtering Issue via VPN

Zee — Fri, 20 Jun 2025 12:46:26 GMT

Acknowledged. Can you direct me to some benchmark or tradeoff regarding the CPU/RAM/memory comparison if I enable Https inspection as I am not sure how much it will impact the firewall performance interms of that

Re: URL Filtering Issue via VPN

Zee — Fri, 20 Jun 2025 12:47:21 GMT

Ack but the hinderance is the installation of certificate on all clients. 🙂

But I agree with you.

Re: URL Filtering Issue via VPN

the_rock — Fri, 20 Jun 2025 12:48:55 GMT

I get it. I would say GPO is probably answer to that 🙂

Andy

Re: URL Filtering Issue via VPN

Zee — Fri, 20 Jun 2025 12:50:31 GMT

I do not have a lot of expertise on that, I would probably have to take other guys and management in loop 😛

Re: URL Filtering Issue via VPN

the_rock — Fri, 20 Jun 2025 12:52:44 GMT

Fair enough 🙂

See if post I made about this last year helps. Maybe you can test this on few machines and see if it works.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-tip/m-p/219139

Re: URL Filtering Issue via VPN

Zee — Fri, 20 Jun 2025 12:54:48 GMT

That is great. I would definitely ping you, if I need your help. Thank you so much :). But yes, if you can guide me about the performance comparison with and without Https inspection, that would be great because what I have observed and read is checkpoint can do almost everything which cisco umbrella is doing (expect DNS server) in terms of security, the only hinderance in making up mind for further testing and proceeding with it is performance factor in terms of load and certificates.

Re: URL Filtering Issue via VPN

Zee — Fri, 20 Jun 2025 12:59:52 GMT

Such a great read. Thanks 🙂

Re: URL Filtering Issue via VPN

the_rock — Fri, 20 Jun 2025 13:02:14 GMT

Hope it helps.

Re: URL Filtering Issue via VPN

Zee — Tue, 15 Jul 2025 17:15:18 GMT

Hi,
I could not test it before as I had to go back because of a family tragedy. . I came back yesterday and resumed testing in a slightly different scenario due to company restrictions on using a fully managed test machine. My current setup places the test machine behind the company’s main firewall, connected to an isolated test firewall environment via VPN. During initial testing, I used a self-signed dummy certificate for HTTPS inspection. First issue I faced was, although I deleted that certificate from all known locations, I suspect it's still lingering somehow as I am unable to install a fresh certificate from gateway>https inspection, but can renew it with a new self signed one. I read about a tool that might help completely remove it, but I wanted to ask here first before proceeding.

Based on my understanding, all external HTTPS sites should fail or show certificate warnings if the certificate is untrusted—but the behavior is inconsistent. For example, some sites like nayatel.com still open, while others don’t proceed past the security warning. When I blocked traffic, the UserCheck page does appear as expected but I was able to resolve this after enabling UserCheck on all interfaces ( thanks to your document 🙂 ), I now see that blocked sites get the firewall’s VPN certificate and show the block page properly, but other sites like Google are still receiving the self-signed certificate, leading to errors attached. I'm unsure if this is due to certificate caching, inspection misconfiguration, my lack of knowledge in this aspect or some remnant of the previous setup. Any suggestions or insights would be appreciated.
To summarize, Is there any way to delete the self-signed certificate? Should external websites work with self-signed (not valid certificate) after warning sign and should it show a block page with the same certificate (which It is showing now). I have attached some images as well.