Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Application Control not enforced

Hi,

Could someone shed some light in why the application control might be enforced in some ways but not in others.

* Version R80.10

* All sites are through HTTPS.

* SSL decryption is activated.

* All Sites are bypassed by SSL decryption

* Firewalls are not using probe Bypass (so the traffic should be inspected first?)

* All sites seem to be correctly categorized in the https log. (as a Custom application/Site with correct Url)

* The traffic is not hitting the firewall rules with said application (custom Site)

Why is the firewall not enforcing it when https inspection is detecting the correct site? (does it have to be inspected even though it can detect the application?)

 

Also Tried checkpoint ACST and created a signature for some of the sites using CN. These rules seem to hit the application rule some times and sometimes not. 

 

What could be the cause of this? The https inspection is once again detecting and categorizing the application correctly every time but only stopping the traffic sometimes.

 

Best regards

0 Kudos
4 Replies
Highlighted
Admin
Admin

Logs of accepted and dropped traffic may be helpful, along with screenshots of the rules referenced in the logs.

Also note that sometimes web applications can use different URLs, or even the same site may, at times, present different certificate CNs.
So it's possible more specific rules are required.
0 Kudos
Highlighted

All logs are with same source, user, destination, FW. Its within one minute from eachother.

1. Non working HTTPS session: resource is "test.filtered.com".

APP-HTTPS-NO-FILT.png

 

2. Working HTTPS session: resource is "test.filtered.com".

APP-HTTPS-WORK-FILT.PNG

3. Non working firewall rule (This one doesnt has a session, Why?).

APP-FW1-NO-FILT.png

4. Working Firewall Rule. (this one has a session, Why?)

APP-FW1-WORK-FILT.png

5. See this matches cleanup rule. (Non working)

APP-FW2-NO-FILT.png

6. See this matches the application rule. (working)

APP-FW2-WORK-FILT.png

7. this is the Session of the owrking one. Application is made by ACST and it matches based on 2 scenarions "*.filtered.com" (wildcard cert) and "test.filtered.com" as common name. This is the same resource as mentioned in both https inspection logs and also the subject/CN when going to the Server and checking the cert provided.

APP-FW3-WORK-FILT.png

0 Kudos
Highlighted

Bump. Does bypassing SSL inspection hamper recognization or should it work the same was as when inspected?

 

 

 

 

0 Kudos
Highlighted

How does Application and url filter work exactly. Do you have a good source thats collecting all the scenarios for when and how it filters.

 

HTTP traffic checks the URL from the GET/POST? True/False

HTTPS check the Certificate CN? True/False

Custom Site with "example.com" matches "www.example.com", "example.com" and "example.com/tes/b.htm" but not "mail.example.com" for HTTP? True /False

Custom Site with "example.com/tes/ff/" matches "example.com/tes/ff/", "example.com/tes/ff/b.htm" and "www.example.com/tes/ff/sce/tt/g.htm" but not "example.com" for HTTP? True /False

Custom site with "*.example.com" matches URLS(HTTP) and CN(Cert) for "mail.example.com" and "ftp.example.com/tes/b.htm" but not "example.com" or *.example.com?

Wildcard Cert does not work unless using ACST with adding "*.example.com" as CN? True/False 

During a redirect site you must both add "example.com" and "newexamplesite.com" to the custom site? True/False

During a redirect site with a wildcard cert you must both add a custom site with "example.com" and using ACST adding "*.newexamplesite.com"? True/False

Do you know the answers to these questions or can point me to where i can find the answers to these? From what i have learned through SK and testing my opinion is that all of these are true. Have i understood it correct?

 

0 Kudos