This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
andersplarsson
Contributor
‎2022-11-29 12:50 AM
Jump to solution

URL Categorization

Hi,

Two questions:

1. Is URL Categorization based on SNI or "Application Name" (CN name ?) when the gateway is deciding on witch category destination falls in to?

2. Does the categorization not being done when destination has a untrusted certificate?

 

Regards,

Anders Larsson

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2022-11-29 03:23 AM
Jump to solution

In earlier release (pre-R80.30) only CN was used, now verified SNI is used when available.
Part of the verification process is checking the cert provided by the remote server matches the SNI requested by the client.
HTTPS Inspection actually requires the certificate be signed by a valid CA, not sure this is required merely for categorization.
When this fails for HTTPS Inspection, there are definitely log messages.

View solution in original post

10 Replies
PhoneBoy
Admin
Admin
‎2022-11-29 03:23 AM
Jump to solution

In earlier release (pre-R80.30) only CN was used, now verified SNI is used when available.
Part of the verification process is checking the cert provided by the remote server matches the SNI requested by the client.
HTTPS Inspection actually requires the certificate be signed by a valid CA, not sure this is required merely for categorization.
When this fails for HTTPS Inspection, there are definitely log messages.

andersplarsson
Contributor
‎2022-11-29 04:16 AM
In response to PhoneBoy
Jump to solution

Thanks for the reply!

If HTTPS Inspection is not being used only URL-categorization, is there any change of how this is categorized for R81.10?

0 Kudos
_Val_
Admin
Admin
‎2022-11-29 04:28 AM
In response to andersplarsson
Jump to solution

As @PhoneBoy mentioned, with R80.40 and up, we are using a patented SNI validation. As part of it, we request a site certificate and make sure it is valid and corresponds to the rest of web request data: SNI and URL.

The URL categorization is part of this process, and it is done via HTTPS even if you did not enable HTTPSi on your security GW.

andersplarsson
Contributor
‎2022-11-29 06:27 AM
In response to _Val_
Jump to solution

So if the certificate is not trusted there is no categorization? 

/Anders

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-29 06:35 AM
In response to _Val_
Jump to solution

Actually, the change was introduced in R80.30 and backported to R80.20 JHF.
I believe SNI Verification requires HTTPS Inspection to be enabled in R80.20 and R80.30, but it is not required in R80.40 and above.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2022-11-29 03:58 AM
Jump to solution

I am pretty sure what phoneboy said is also done by any other major vendors that do https inspection, but thats the gist of it really.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
_Val_
Admin
Admin
‎2022-11-29 04:26 AM
In response to the_rock
Jump to solution

That is not exactly true, I am afraid. I think you misunderstood what PH conveyed 🙂

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2022-11-29 04:32 AM
In response to _Val_
Jump to solution

How so? 🙂

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
_Val_
Admin
Admin
‎2022-11-29 04:39 AM
In response to the_rock
Jump to solution

The main differentiator from the rest of the competitors is SNI validation. Instead of taking it for granted, we actually pull the server certificate and compare its details with the SNI data.

This is, or at least was, unique for Check Point when R80.40 was out, and we filed a patent application for it.

Hope this makes sense.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2022-11-29 04:45 AM
In response to _Val_
Jump to solution

A kk, I see what you mean, makes sense. Though, Im pretty positive that Fortinet and PAN do it nowdays as well.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events