topic Re: Spark 1900 URL & APP filtering issue in Spark Firewall (SMB)

Spark 1900 URL & APP filtering issue

AmitS — Thu, 20 Feb 2025 08:11:09 GMT

Hi Team,

We have a 1900 spark appliance in Cluster version R81.10.10.

Requirement is to have APP & URL Blocking based on the predefined categories (e.g Shopping, FTP, Social, Media etc) with out HTTPS inspection as customer cannot install the certificates on endpoint and/or mobile devices.

We have tested to use HTTPS categorization but its not working as expected, few sites are getting blocked and some are working, hence not achieving the desired solution.

but when HTTPS inspection is configured all is working properly, the categories which are blocked in rule are not working which is desired.

Is there any other way to achieve this???

Re: Spark 1900 URL & APP filtering issue

G_W_Albrecht — Thu, 20 Feb 2025 08:31:26 GMT

I would first install the current version R81.10.15 Build 996003913 and after testing, open SR# with CP TAC to get this resolved.

Re: Spark 1900 URL & APP filtering issue

PhoneBoy — Thu, 20 Feb 2025 13:13:11 GMT

Do you have an explicit rule blocking QUIC in your rulebase?
QUIC traffic will not be categorized by HTTPS Categorization.
By blocking QUIC, the client web browsers should fall back to HTTP/1.1, for which traffic can be categorized correctly.

Re: Spark 1900 URL & APP filtering issue

G_W_Albrecht — Thu, 20 Feb 2025 13:20:31 GMT

Yes, QUIC - but recently with 1600, blocking QUIC on GW did not help, so customer had to disable it for browsers using GPO.

Re: Spark 1900 URL & APP filtering issue

AmitS — Thu, 20 Feb 2025 15:06:09 GMT

Yes, we have explicit rule to block QUIC. Still categorisation is not working.

Any alternate solution?

Re: Spark 1900 URL & APP filtering issue

PhoneBoy — Thu, 20 Feb 2025 16:20:41 GMT

HTTPS Categorization uses one two things to categorize websites for HTTP/HTTPS connections (QUIC connections aren't supported for HTTPS Categorization):

The DN of the site certificate (which is always unencrypted, but may not reflect the actual site being accessed)
The unencrypted SNI of the HTTPS connection. If the SNI is encrypted, there is no way to see the SNI short of full HTTPS Inspection, thus not possible to categorize the connection.

Specific examples of websites that should be being blocked but aren't might be helpful.

Re: Spark 1900 URL & APP filtering issue

AmitS — Thu, 20 Feb 2025 17:57:28 GMT

Categories example such as gambling, Shopping, Media, Youtube.

Amazon.in

flipkart.com

888.com

velonyx.live

and many more

Re: Spark 1900 URL & APP filtering issue

PhoneBoy — Thu, 20 Feb 2025 19:55:45 GMT

To see if the problem is Encrypted SNI, you will have to take a packet capture when the client initiates a connection to this site.
If it's Encrypted SNI, the only solution to that is HTTPS Inspection.
If the SNI is not encrypted and it's not working, then I suggest a TAC case.

Re: Spark 1900 URL & APP filtering issue

AmitS — Fri, 21 Feb 2025 05:31:28 GMT

Hi Team,

Customer is having other Firewall as well such as Palo alto & sonicwall & same thing is working there without SSL/HTTPS inspections..

So here in Checkpoint its not working without Https inspections...

Re: Spark 1900 URL & APP filtering issue

PhoneBoy — Fri, 21 Feb 2025 21:42:44 GMT

A TAC case will be necessary to investigate this issue further.

Re: Spark 1900 URL & APP filtering issue

Amir_Erman — Sat, 22 Feb 2025 12:11:43 GMT

To accelerate the analysis - I would try Quantum centrally managed, SPARK centrally managed as well

(For simplicity VM version can be used. It will allow us to pinpoint where the problem is.

Re: Spark 1900 URL & APP filtering issue

AmitS — Tue, 25 Mar 2025 08:06:40 GMT

TAC is already raised but still not proper solution.

Re: Spark 1900 URL & APP filtering issue

AmitS — Tue, 25 Mar 2025 08:09:40 GMT

We have tried testing with Quantum centrally managed full Gaia in LAB (VM based) & there categorization is working properly, blocking is working as expected based on categories configured in rule.

But the same is not working with 1900 spark appliances with Local Management.

Re: Spark 1900 URL & APP filtering issue

AmitS — Tue, 25 Mar 2025 08:10:44 GMT

I had taken captures on Firewall, there was no encrypted SNI.

Re: Spark 1900 URL & APP filtering issue

Chris_Atkinson — Tue, 25 Mar 2025 11:46:40 GMT

Can you confirm the browsers are configured the same in each test scenario, this site will be useful here:

https://www.cloudflare.com/ssl/encrypted-sni/#results

Re: Spark 1900 URL & APP filtering issue

Vickman — Tue, 05 Aug 2025 23:43:46 GMT

Hello,

Same issue, using current firmware version is R81.10.17 (996004653)

Is there any update regarding this ?

Thanks

Re: Spark 1900 URL & APP filtering issue

Chris_Atkinson — Wed, 06 Aug 2025 00:07:37 GMT

If you have already tested with the equivalent of the following set for 'hold' instead of background then you should take it internally or with TAC.