This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Lloyd_Barnett
Contributor
‎2017-12-07 09:28 AM

Loss of a rule hit in AppCtrl-URLFltr...

anyone have a rule that just stops getting hits in the AppCtrl-URLFltr blade?  I have hits for pornography/gambling categorization etcetera that have just stopped being blocked and are not logged as a block, obviously (domains categorized and verified) as when I test to some of these sites I have access/page loads...

anyone else see a rule just "drop"?

Alan Stanwyck: "If you reject the proposition, you keep the thousand – and your mouth shut."
Fletch: "Does this proposition entail my dressing up as Little Bo Peep?"
Alan Stanwyck: "It’s nothing of a sexual nature, I assure you."
Fletch: "Yeah, I assure you."
Alan Stanwyck: "One thousand just to listen. I don’t see how you can pass that up, Mister…?"
Fletch: "Nugent. Ted Nugent."
10 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2017-12-07 10:10 AM

Do you have Website Categorization Mode set to "Hold" or "Background"?  How many total filtered users do you have?

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Lloyd_Barnett
Contributor
‎2017-12-07 12:07 PM
In response to Timothy_Hall

Hi Tim,

Categorization is set to "background" and we don't do filtered users (presuming some kind of ID awareness?) but do hope to kluge that up too someday...

I did try throwing all six copies we have of your book at it, and it only knocked over the monitor...

Alan Stanwyck: "If you reject the proposition, you keep the thousand – and your mouth shut."
Fletch: "Does this proposition entail my dressing up as Little Bo Peep?"
Alan Stanwyck: "It’s nothing of a sexual nature, I assure you."
Fletch: "Yeah, I assure you."
Alan Stanwyck: "One thousand just to listen. I don’t see how you can pass that up, Mister…?"
Fletch: "Nugent. Ted Nugent."
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2017-12-07 02:15 PM
In response to Lloyd_Barnett

If the firewall's rad process is having problems you will see behavior like this (and slow initial page loads), can I assume you are running the latest GA Jumbo HFA for R77.30 or R80.10?  This is extensively covered in second edition of my book, does cpwd_admin list show rad getting restarted?  For R77.30 especially there were a lot of problems with rad fixed by the jumbo HFA. 

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Lloyd_Barnett
Contributor
‎2017-12-12 07:17 AM
In response to Timothy_Hall

Hi Tim,

RAD is running -as other rules are getting hit, just these (2) particular rules refuse to uphold the law.  I stopped and restarted RAD just for kicks and giggles, I also did by alternating "fail-open" and "fail-safe" and no changes there.  As for rules, we've removed and then added and moved but no change.  No rules catch it above -I even pushed to the top.  A couple of items missed Tim, you reminded me to have conveyed.

Management R77.20

Gateways R77.30 JHF (take 286)

Alan Stanwyck: "If you reject the proposition, you keep the thousand – and your mouth shut."
Fletch: "Does this proposition entail my dressing up as Little Bo Peep?"
Alan Stanwyck: "It’s nothing of a sexual nature, I assure you."
Fletch: "Yeah, I assure you."
Alan Stanwyck: "One thousand just to listen. I don’t see how you can pass that up, Mister…?"
Fletch: "Nugent. Ted Nugent."
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2017-12-12 09:38 AM
In response to Lloyd_Barnett

Um, isn't it not supported to have the SMS be an older minor release than that gateway?  There weren't too many changes to APCL/URLF policies from R77.20 to R77.30 but that seems odd.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Lloyd_Barnett
Contributor
‎2018-02-19 07:17 PM
In response to Timothy_Hall

Hi Tim,

I thought this changed in R77x where you can "manage up" from Manager to Gateway.

It appears the issue has something to do with -and I'm gonna write this out with some skepticism, you'll just have to take it as gospel:

  • (domains).checkpoint.com changed IPs at some point
  • our implied rule to allow access to said domains was pushed down in the order of implied rules
    • this is due to us running traditional VPN (??? -I'm gonna have to research the "how and why" on that one)
  • rejection of the site's access and intermittent updating this crippled for some odd reason JUST these two rules

...I also believe there was a third gunman, does that seem to jive (I at least get the issue of not getting updates)?

LDB

Alan Stanwyck: "If you reject the proposition, you keep the thousand – and your mouth shut."
Fletch: "Does this proposition entail my dressing up as Little Bo Peep?"
Alan Stanwyck: "It’s nothing of a sexual nature, I assure you."
Fletch: "Yeah, I assure you."
Alan Stanwyck: "One thousand just to listen. I don’t see how you can pass that up, Mister…?"
Fletch: "Nugent. Ted Nugent."
0 Kudos
Daniel_Taney
Advisor
‎2017-12-07 01:34 PM

Is there a chance that a more generic rule got placed above it in the AppCtrl policy that is now matching that traffic? If you look in SmartLog you should be able to see what App Control rule was matched when the traffic was allowed. Is that rule above the Drop / Block rule in question?

R80 CCSA / CCSE
0 Kudos
Kurt_Lee
Explorer
‎2017-12-07 02:01 PM

I believe I have the same situation.

I've noticed that all categories that have only 'url filtering' blade are without applications. I don't remember if this is indeed the correct behavior. I don't think so.

Does anyone know what that is about?

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2017-12-07 02:18 PM
In response to Kurt_Lee

Nope that's normal, that particular category is all about inappropriate content (not a specific application) which is what URL Filtering is for, not App control.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Kurt_Lee
Explorer
‎2017-12-07 04:06 PM
In response to Timothy_Hall

Thanks for your answer!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events