topic Re: Inconsistent URL filtering in Spark Firewall (SMB)

Inconsistent URL filtering

AB136785 — Tue, 17 Feb 2026 15:58:26 GMT

Firewall: 1900/2000 Appliance running version R81.10 with Application Control and URL Filtering enabled, as well as HTTPS-inspection. Obligatory heads-up, I am not an expert (or even intermediate) when it comes to networking and checkpoint.

Hi there checkmates,

We're trying to configure a firewall for a highly-regulated, mostly closed environment (meaning only specific software and addresses may be accessed from the internal network). To this end, we try to regulate access mostly based on custom applications/sites and built-in updatable objects. However, we've found something that seems quite inconsistent; the exact same url that is both allowed and blocked in two separate instances.

We are allowing traffic to the source 'api\.github\.com/repos/hashicorp/packer-plugin-vsphere/git/matching-refs/tags.*' (defined as a regex), but this is what we observed below:

Both these instances happen near-simultaneously. The rules were not changed in that short time (we've checked). We did see that both instances went to a different host (140.82.121.3 and ".6 respectively), but all hosts are allowed in this rule as long as the url matches, so this should not make a difference. Furthermore, in the Policy menu it shows both as blocked by the cleanup rule, even though one is still allowed. Does anyone here have an inkling as to what is going on here?

Re: Inconsistent URL filtering

Lesley — Tue, 17 Feb 2026 18:53:21 GMT

Details tab of both screenshot would be to get better understanding.

My guess is, first some data needs to pass / be allowed before the firewall can make the good policy decision.

Could also be that the website has not yet been categorized and therefore is not present in the cache of the gateway. There are 2 settings, hold and background. Default is background and hold is more strict. It will hold the connection until the gateway gets the message from the cloud what category the URL is. Background is, first connections are allowed, in the mean time gw connects to cloud and gets the info and from that point it will be blocked. The data will then be added to gateway cache.

Re: Inconsistent URL filtering

the_rock — Tue, 17 Feb 2026 19:53:42 GMT

I see the answer to your question on the left screenshot. Yes, shows accepted on network layer, but then shows inspect, which is on ssl inspection policy, which would essentially block it.

Re: Inconsistent URL filtering

the_rock — Wed, 18 Feb 2026 03:21:48 GMT

Btw, see if this post I made about my lab setup helps.

https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-inspection-lab-video/td-p/270644

Re: Inconsistent URL filtering

the_rock — Thu, 19 Feb 2026 03:31:24 GMT

Hey mate,

Were you able to sort this out?