topic Re: Incorrect categorization of url filtering when use Google Crhome in Spark Firewall (SMB)

Incorrect categorization of url filtering when use Google Crhome

charcris — Fri, 15 May 2020 21:13:15 GMT

Hello and good morning

I have some problems with smb 1490

I don't know if anyone had the same problem or if it's a limitation of SMB 1400

When clients use the google chrome web browser for some web pages, checkpoint cant categorized correctly by checkpoint

Yes I have a rule that blocks all traffic that cannot be classified, but the problem is the incorrect categorization.

note : this happen in all SMB appliances(1400).

On the other hand, when the client uses firefox explorer in the same pages, these are correctly categorized after this if the client uses the google chrome explorer, again it is already correctly categorized by checkpoint.

to take into account that

1.- I don't have https inspection (resources problems) activated.
But I understand that it complies with Categorize HTTPS Websites via Certificate Checking.
2.- the session is performed by the TLS1.2v on the clients.
3.- The SNI and the CN have the same name as the domain of the web page

4.- Google chrome and firefox are updated (also try old versions with the same result).
5.- The smb is centrally administered

6.- the management and the smb is update.

SMB 1400 R77.20.87 (990173004). Management R80.30 JH take 191

7.- Trusted Ca and blacklist is update .

Please if someone has any clue or knows what could be happening? or if a limitation of smb

Thanks for the help.

Re: Incorrect categorization of url filtering when use Google Crhome

PhoneBoy — Fri, 15 May 2020 23:22:50 GMT

Are you blocking QUIC?

Just to note: we do not look at SNI at all on that SMB code release.
That capability was only added to R80.20.05, which is not available for the 1490 (but is on the newer 1500 series).
However, when I went to that site, the CN of the certificate looks correct, so we should see it.

Re: Incorrect categorization of url filtering when use Google Crhome

charcris — Sat, 16 May 2020 14:08:10 GMT

Hello and ty for the help PhoneBoy

Are you blocking QUIC?

Yes te quic protocol is blooqued by the firewall and i try to block in the client too , but with the the same results .

Re: Incorrect categorization of url filtering when use Google Crhome

HristoGrigorov — Sat, 16 May 2020 14:31:21 GMT

Try to set in SmartConsole, Manage & Settings -> Blades -> APPCL & URLF -> CheckPoint online web service -> Web categorization mode to "Hold" and see if that makes any difference in observed behavior.

Re: Incorrect categorization of url filtering when use Google Crhome

charcris — Sun, 17 May 2020 03:22:20 GMT

mm yes right now the mode of web categorization is in hold , but the problem persist , ty for the help HristoGrigorov(you can see it in the 4° photo).

Re: Incorrect categorization of url filtering when use Google Crhome

HristoGrigorov — Sun, 17 May 2020 03:28:00 GMT

URL categorization is made in CheckPoint Cloud not on device itself. I think if for some reason it fails to do that it will threat it as uncategorized.

Re: Incorrect categorization of url filtering when use Google Crhome

charcris — Sun, 17 May 2020 03:32:24 GMT

Yes, but when the client uses firefox as a browser, it seems that checkpoint can correctly categorize it.
so it is a bit strange that with firefox checkpoint can categorize it.

Re: Incorrect categorization of url filtering when use Google Crhome

HristoGrigorov — Sun, 17 May 2020 03:34:43 GMT

Agree. It is worth involving TAC here.

Re: Incorrect categorization of url filtering when use Google Crhome

charcris — Sun, 17 May 2020 03:52:57 GMT

yes the tac is involved , but at the moment couldn't be determine what it could be, so I open this case in the community to find out if anyone may have had the same problem.
Any help is appreciated

Re: Incorrect categorization of url filtering when use Google Crhome

HristoGrigorov — Sun, 17 May 2020 04:05:56 GMT

May be sniff the traffic between Firefox and SMB and then between Chrome and SMB and compare it. Pay special attention to HTTP headers and what browser sends as requested URL.

Re: Incorrect categorization of url filtering when use Google Crhome

mconlogue — Fri, 30 Jul 2021 15:10:19 GMT

Any progress with this? We are seeing the same thing

Re: Incorrect categorization of url filtering when use Google Crhome

George_Casper — Fri, 30 Jul 2021 18:35:31 GMT

We're running into the same thing with several sites (running on 15400 appliances R80.40) which started up a few days ago, we do block uncategorized sites. I haven't had time to sift through the logs on all the sites but several of them appear to be hosted on AWS. Even www.amazon.com shopping site which we permit gets blocked when it reaches the uncategorized AWS hosts.

Wonder if AWS added a new IP subnet that Checkpoint hasn't categorized yet?

Re: Incorrect categorization of url filtering when use Google Crhome

K_montalvo — Fri, 30 Jul 2021 19:36:20 GMT

Hello @charcris

Since when you're experiencing the issue?

Have you been able to access any of those websites before?

Have you tried to access the website via IP like this: https://185.76.64.164:443

Also can you tried to disable enforce safe search > install policy > clear cookies/cache on browser or open a private tab and share the results.

Hablo español cualquier cosa amigo!

Thanks!

Thanks

Re: Incorrect categorization of url filtering when use Google Crhome

israelfds95 — Tue, 09 Jan 2024 19:28:59 GMT

After a lot of days of researchs I found a solution for this without enable HTTPS Inspection.

- On Network Layer - create a Drop rule for UDP 443 QUIC

- On App control & URL Filtering layer - create a DROP rule for desired categories like Pornografy, Sex, Nudity ...

- And the final key for firewall Drop correctly the sites on this categories for Google Chrome create a object New Override Categorization - and set a Risk High or Critical, after that the firewall will Drop with more criteria and priority all sites classified on this categories that you create a New Override Categorization object. Set one site just to save the object, but important thing here will be the risk

From the Objects tab of SmartConsole, select New > More > Custom Application/Site > Override Categorization

Before applied this configuration a lot of porn sites oppening just on the Google Chrome, and on this customer don't was possible enable HTTPS Inspection, with this configurations was possible drop everything just with URL Filtering.