This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KennyManrique
Advisor
‎2018-02-01 12:57 PM
Jump to solution

HTTPS drop in R80.10

Hello Community,

I'm experiencing an strange issue after Gateway upgrade to R80.10 (T56 now) on Open Server.

Previously when blocking Web Advertisements category on R77.30 all work fine with one "Block and show usercheck" rule. After upgrade to R80.10, the same rule was applied, and since Block option does not exists on the new architecture for APC and URL Filter, the option was replaced to drop instead.

I put you an example using the Drop option. There is a news site www.eldeber.com.bo where embedded advertising exists. When I open a link of a report inside the site, the page remains loading forever in blank despite the news is already received (pressing F5 the report is showed on screen briefly). All this is because HTTPS advertising, according to the Logs, and it seems the session is still trying to establish despite the drop rule.

I got similar error on www.amazon.com  and some other sites with embedded advertising.

As a workaround, what I had to do was create an inline layer for Web Advertisements and choose Reject for HTTPS and HTTPS_proxy. After this, the sites with embedded advertising load normally (I did the same test with the sites mentioned above).

So far, Web Advertisements is the only category who give me problems, but perahps this behavior reproduces in other categories. This issue is reproduced on all categories where the action for HTTPS is Drop; and specially on those sites who point to external content Droped somehow by the policy. Would be great if can test this for yourself's and verify why the problem only reproduces when using drop.

Regards.

1 Solution

Accepted Solutions
KennyManrique
Advisor
‎2019-03-07 11:34 AM
Jump to solution

Check Point published an official SK documentation for this behavior on Sep 2018 using my Reject workaround as one of the solutions (I'm waiting for sk modification with special thanks 😞

sk135132: Websites take time to load when certain applications/links in APPI/URL Filtering rule base are block... 

I hope this be useful to all.

View solution in original post

11 Replies
PhoneBoy
Admin
Admin
‎2018-02-01 01:11 PM
Jump to solution

What if you change the action to Reject in the top-level rule?

KennyManrique
Advisor
‎2018-02-01 01:13 PM
In response to PhoneBoy
Jump to solution

It works, but cannot show UserCheck message for HTTP traffic.

Regards.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-02-05 06:14 AM
Jump to solution

Looks like this is a known bug and you should open a TAC case for a potential fix to this.

Contact Support | Check Point Software 

KennyManrique
Advisor
‎2018-02-06 07:49 PM
In response to PhoneBoy
Jump to solution

Thanks Dameon.

Do you have a bug ID to search it?

I will open a TAC case to further review.

Regards.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-02-07 08:23 AM
In response to KennyManrique
Jump to solution

Offhand I do not, but I did inquire internally with R&D about it and they suggested opening a task regarding the issue.

If you can send me the SR number privately, I'll make sure the dots are connected on the backend.

Hugo_vd_Kooij
Advisor
‎2018-03-02 09:01 AM
Jump to solution

If the client gets a REJECT the client knows it doesn't work and it will now it fast.

If you silently drop the SYN packet it is up to the client to retry a few times before giving up. This will give you a terrible penalty in the user experience.

As a rule of thumb I would considere to DROP anything from the outside that I don't want to allow. And REJECT anything from the inside that I don't want to allow.

While some auditers may not approve I find it saves your users a lot time as they get an error very fast if you block them and they don't have to wait for the timeouts.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
KennyManrique
Advisor
‎2018-03-02 11:41 AM
In response to Hugo_vd_Kooij
Jump to solution

Thanks for the reply Hugo. 

You are absolutely right about the drop and reject behaviors. However, some things like this must be modified if you update from R77.30 (where all work without this issues). Also I noticed this strange case is not only in Web Advertisements category but in some others like Social Networking or Media Streams (Peraphs for all dropped apps in R80.10??) 

Do you know the exact behavior of Block in R77.30 App rulebase? Remember this option does not exists in R80.10 App rulebase.

Regards. 

0 Kudos
Hugo_vd_Kooij
Advisor
‎2018-03-05 01:28 AM
In response to KennyManrique
Jump to solution

Kenny,

it's on my todo list somewhere. Unfortunalty not on page 1.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
PhoneBoy
Admin
Admin
‎2018-03-05 06:23 AM
In response to KennyManrique
Jump to solution

Did you open a TAC SR like I suggested above?

0 Kudos
KennyManrique
Advisor
‎2018-03-06 11:04 AM
In response to PhoneBoy
Jump to solution

Hi Dameon,


I was a little busy with other SR's for customers.

I will open the SR once the others had been closed.


Regards.

0 Kudos
KennyManrique
Advisor
‎2019-03-07 11:34 AM
Jump to solution

Check Point published an official SK documentation for this behavior on Sep 2018 using my Reject workaround as one of the solutions (I'm waiting for sk modification with special thanks 😞

sk135132: Websites take time to load when certain applications/links in APPI/URL Filtering rule base are block... 

I hope this be useful to all.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top