topic Re: Application control matches only Web Browsing in Spark Firewall (SMB)

Application control matches only Web Browsing

Pedro_Espindola — Mon, 31 Jul 2017 16:34:57 GMT

Hello everyone,

I've done a migration from R80 to R80.10 and now I only see "Web Browsing" application in App Control logs:

All access is caught by URL filtering, but only the blocks match to their specific rules. A rule which allows facebook gets no hits, yet all facebook traffic matches the clean up any - any - any - allow:

Here is an example of app control log:

The gateway is an SMB 1470 appliance running R77.20.60.

There are separate layers for Network and Application rules as required for R77. All logging is set to extended.

Is this a gateway limitation or a configuration issue?

Re: Application control matches only Web Browsing

aner_sagi — Mon, 31 Jul 2017 21:04:14 GMT

HTTPS inspection enabled ?

Re: Application control matches only Web Browsing

Federico_Meine1 — Mon, 31 Jul 2017 22:26:44 GMT

Totally agree with Aner.

I had a similar issue in the past with anonymizers, we could identify Tor traffic but couldn't apply any policies to it without HTTPS inspection.

Re: Application control matches only Web Browsing

Pedro_Espindola — Tue, 01 Aug 2017 13:55:19 GMT

Yes! But I get the same result for inspected and bypassed traffic.

The policy in R80.10 is the same as it was in R80, when it worked fine.

Re: Application control matches only Web Browsing

Pedro_Espindola — Tue, 01 Aug 2017 13:58:53 GMT

So you solved the issue by enabling HTTPS inspection?

Re: Application control matches only Web Browsing

Federico_Meine1 — Tue, 01 Aug 2017 14:37:10 GMT

I didn't had the experience with Facebook/Twitter, by enabling HTTPS we could block Tor traffic via AppControl/URL Filtering. Try it in a lab enviroment first.

Also keep in mind that HTTPS Inspection is highly resource demanding in the gateway side. If you have your network segmented is best to implement it by phases by adding exceptions and see the impact in CPU/Memory.

Re: Application control matches only Web Browsing

Pedro_Espindola — Tue, 01 Aug 2017 15:23:08 GMT

HTTPS is already enabled and blocking https malware, I tested it. I tried disabling it and got the exact same result. It is back on.

It has been enabled and working beautifully with central management since R77.30 + Addon and then R80.

I've noticed some differences when upgrading to R80.10.

In R80, when some scope (network or host) was not explicitly defined for inspection or bypass in the https inspection rulebase it was NOT inspected.
After upgrading to R80.10, I had to explicitly set the bypass for those networks or they would be inspected.

I have not found documentation that explains the differences.

Most of the network IS inspected, including the machine I am using to test, obviously.

CPU/Memory is not an issue. The number of users and throughput is much lower than supported by the appliance. Memory is usually at 40% at most. CPU is usually at 10%.

Re: Application control matches only Web Browsing

PhoneBoy — Fri, 21 Jun 2019 08:56:13 GMT

Make sure you have logging configured as described in this thread: https://community.checkpoint.com/message/6785-rules-with-any-applicationservice-not-logging-application-in-r8010?sr=search&searchId=e208ab41-7161-4934-9f0d-1ea03209001c&searchIndex=1‌

Re: Application control matches only Web Browsing

Pedro_Espindola — Wed, 02 Aug 2017 13:34:38 GMT

Thank you for your reply, Dameon. I was the one that asked that other question. The logging mode is set for extended. In that one the issue was a R80.10 gateway. Now it is a preR80 1470, which doesn't have multiple logging modes.

The problem here is a little different, it is not just the logs, it seems. Application Control is not matching the applications correctly and all allowed traffic is processed at the Clean Up. URL filtering is correctly matching most of the blocked sites at the correct rule, except for "High Risk Applications", which are being allowed as "Web browsing". Look at the screenshot below. Facebook traffic doesn't match this rule and is allowed at the last rule.

Maybe this question should be moved to another category.

Re: Application control matches only Web Browsing

PhoneBoy — Wed, 02 Aug 2017 14:23:38 GMT

Can you post a screenshot of the rule that it should match?

Also if you haven't already, I would start a case with the Check Point TAC.

Re: Application control matches only Web Browsing

Pedro_Espindola — Thu, 03 Aug 2017 17:52:20 GMT

Turns out, the good old REBOOT solved the problem...

Unfortunately we won't know what caused it.

Thank you all for the help, guys.