This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Filip_Wennerhul
Participant
‎2019-03-26 09:05 AM

Application Control not enforced

Hi,

Could someone shed some light in why the application control might be enforced in some ways but not in others.

* Version R80.10

* All sites are through HTTPS.

* SSL decryption is activated.

* All Sites are bypassed by SSL decryption

* Firewalls are not using probe Bypass (so the traffic should be inspected first?)

* All sites seem to be correctly categorized in the https log. (as a Custom application/Site with correct Url)

* The traffic is not hitting the firewall rules with said application (custom Site)

Why is the firewall not enforcing it when https inspection is detecting the correct site? (does it have to be inspected even though it can detect the application?)

 

Also Tried checkpoint ACST and created a signature for some of the sites using CN. These rules seem to hit the application rule some times and sometimes not. 

 

What could be the cause of this? The https inspection is once again detecting and categorizing the application correctly every time but only stopping the traffic sometimes.

 

Best regards

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2019-03-26 10:40 AM

Logs of accepted and dropped traffic may be helpful, along with screenshots of the rules referenced in the logs.

Also note that sometimes web applications can use different URLs, or even the same site may, at times, present different certificate CNs.
So it's possible more specific rules are required.
0 Kudos
Filip_Wennerhul
Participant
‎2019-03-28 02:58 AM
In response to PhoneBoy

All logs are with same source, user, destination, FW. Its within one minute from eachother.

1. Non working HTTPS session: resource is "test.filtered.com".

APP-HTTPS-NO-FILT.png

 

2. Working HTTPS session: resource is "test.filtered.com".

APP-HTTPS-WORK-FILT.PNG

3. Non working firewall rule (This one doesnt has a session, Why?).

APP-FW1-NO-FILT.png

4. Working Firewall Rule. (this one has a session, Why?)

APP-FW1-WORK-FILT.png

5. See this matches cleanup rule. (Non working)

APP-FW2-NO-FILT.png

6. See this matches the application rule. (working)

APP-FW2-WORK-FILT.png

7. this is the Session of the owrking one. Application is made by ACST and it matches based on 2 scenarions "*.filtered.com" (wildcard cert) and "test.filtered.com" as common name. This is the same resource as mentioned in both https inspection logs and also the subject/CN when going to the Server and checking the cert provided.

APP-FW3-WORK-FILT.png

0 Kudos
Filip_Wennerhul
Participant
‎2019-04-12 04:56 AM
In response to PhoneBoy

Bump. Does bypassing SSL inspection hamper recognization or should it work the same was as when inspected?

 

 

 

 

0 Kudos
Filip_Wennerhul
Participant
‎2019-04-12 05:38 AM
In response to PhoneBoy

How does Application and url filter work exactly. Do you have a good source thats collecting all the scenarios for when and how it filters.

 

HTTP traffic checks the URL from the GET/POST? True/False

HTTPS check the Certificate CN? True/False

Custom Site with "example.com" matches "www.example.com", "example.com" and "example.com/tes/b.htm" but not "mail.example.com" for HTTP? True /False

Custom Site with "example.com/tes/ff/" matches "example.com/tes/ff/", "example.com/tes/ff/b.htm" and "www.example.com/tes/ff/sce/tt/g.htm" but not "example.com" for HTTP? True /False

Custom site with "*.example.com" matches URLS(HTTP) and CN(Cert) for "mail.example.com" and "ftp.example.com/tes/b.htm" but not "example.com" or *.example.com?

Wildcard Cert does not work unless using ACST with adding "*.example.com" as CN? True/False 

During a redirect site you must both add "example.com" and "newexamplesite.com" to the custom site? True/False

During a redirect site with a wildcard cert you must both add a custom site with "example.com" and using ACST adding "*.newexamplesite.com"? True/False

Do you know the answers to these questions or can point me to where i can find the answers to these? From what i have learned through SK and testing my opinion is that all of these are true. Have i understood it correct?

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events