Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Marcel_Gramalla
Advisor
Jump to solution

Most URLs categorized as X-VPN this morning

Hi,

we encountered a big issue this morning as nearly all URLs were categorized as X-VPN application which is blocked in our rulebase because of the category (Anonymizer) and it's also set to critial risk.

Did you encounter the same and is there any official statement? It's obviously an issue with the database and the first time we see such an issue. 

 

(2)
4 Solutions

Accepted Solutions
TP_Master
Employee
Employee

Hi,

I can confirm that indeed from the last ~15 minutes this issue has been resolved, using the APPI package 11042401. 

Gateways will be updating according to their scheduled update policy. 

If you need to rush the update, please do the following on the security gateways:

- # rm $FWDIR/appi/update/Version
- # rm $FWDIR/appi/update/next_update
- Wait for 5 minutes.

A new dedicated sk182202 is now available for this issue.

An official and detailed RCA will follow.

Ofir Israel 

VP, Threat Prevention Check Point Software Technologies

 

P.S. We are aware that the fix seems to have not worked for a limited amount of our customers. We currently suspect this as a logging behavior where old connections have new sessions and are updated on the log view. If you encounter drops please let us know through a TAC ticket, we are monitoring the situation. 

View solution in original post

(4)
796570686578
Collaborator

I noticed something that may help others as well.

Yesterday once the issue has been resolved and the new package released, I performed the Update of the Application Control & URL Filtering via SmartConsole. This resolved the issue on 2 out of 3 clusters. The 3rd cluster, although it had the same updated package version(110424_1) as the other gateways, was still dropping traffic.

 

So I performed the steps mentioned in https://support.checkpoint.com/results/sk/sk182202 and suddenly it worked. The package version was still the same but apparently there was a difference between updating via Mgmt and manually deleting the files.

Hope this helps anyone else

View solution in original post

(1)
kale24
Explorer

All gateways had the new file yet we still had to create the manual whitelist for X-VPN.
I then completed the SK article on ALL gateways (even ones not using the application blade) and only then did we stop seeing logs.
I will monitor to see if anymore appear but the trick is going through the SK regardless of the file date.

View solution in original post

TP_Master
Employee
Employee

Hi, let me introduce some more information.

As I wrote last week even after releasing the package we encountered cases of customers still seeing the issue. We later saw evidence on incorrect MD5 and that's why we added that section to the SK182202.

We did not tweak the signatures in the package therefore no new package was issued but we did perform manual operations to speed up the integration & deployment of package 110424_1 into the updates system, so that our customers get it faster than usual - this caused some issues with wrong MD5 for small portion of customers.

Therefore the recommendation is for anyone who still has issues with X-VPN classification to check the MD5 and if necessary force re-download of the package.

 

Ofir Israel

VP, Threat Prevention

Check Point 

View solution in original post

(1)
69 Replies
Albin
Contributor
Contributor

Hi,

 

We have the same issue. We had  this  the other day and just now again on one site.

Daniel_Hainich
Collaborator

hi,

we have the same issue since today.

sascham
Participant

Hello,

same issue here. It started around 04:12 AM CEST.

Sebastian
Explorer

Hi all,

We have the exact same issue! Nothing is passing by as every web request is categorized as X-VPN and therefore blocked.

Nenad_Odic
Contributor

We have this from this morning,is there  a reason why or we have to raise a TAC ticket? 

tomaszek
Explorer

Yes, we have the same issue

0 Kudos
Stephan_Scholz
Participant

Same here. Any comments from Check Point?

0 Kudos
Nenad_Odic
Contributor

Just raised   

Case
6-0003912005
so we will see if they come  up with an idea ,other that remove anonymizer category from rules.
Josef_Maier
Participant

Hi,

we have the same problem. We registered an ticket bye Check Point Support. At the moment no reaction. On the status Checkpoint website https://status.checkpoint.com/ there are all services OK. 

0 Kudos
_Val_
Admin
Admin

Hi all,

We are aware of the miscategorization by Application Control / URL Filtering blade, where legitimate traffic is categorized as X-VPN and being dropped accordingly. Right now, a joint Task force that includes both R&D and TAC experts are working together to mitigate the issue.

We will keep you posted

(1)
Nenad_Odic
Contributor

thank you Val,

hope you will sort it out

0 Kudos
_Val_
Admin
Admin

I will update this post once we have a definitive fix.

796570686578
Collaborator

Thank you for your quick response!

Is it possible that you provide a status update in this thread as soon as you get the news that the issue has been resolved? That would would be amazing.

Appreciate you and best regards

FedericoB
Explorer

I'm experiencing the same issue since this mornig. 

0 Kudos
vNenad
Participant
Participant

Hey @_Val_.

This issue has caused disruption, and it raises a question about communication. While we understand technical problems occur, many partners rely on prompt notifications from Check Point to address such situations effectively.

I'd like to inquire why there wasn't a more immediate communication effort to partners regarding this miscategorization issue. Timely updates would have significantly aided troubleshooting and minimized disruption for many organizations. Are there plans to improve communication protocols for future occurrences?

In addition to the previous questions, I'm also interested in:

  • Any recommended workarounds or mitigation strategies in the meantime.
  • Whether there's an estimated timeframe for a resolution.

Thank you for your time and any information you can share.


Sincerely,
Nenad Vijatov

(7)
Nigel_Costar
Participant

Please can we have an update and ETA on the issue this is causing significant disruption for our staff and CP are being frustratingly quiet. the website reports there will be an update every 30 minutes but I do not see any posts regarding this?

(1)
GeoMal86
Explorer

Same here... We have spent an hour thinking that our PCs were infected and trying to find what happened. 

This seems to only be happening on Harmony Connect?

 

Update: nvm, it's happening on all gateways.

Tom_Hinoue
Advisor
Advisor

It seems the issue is occurring for users that are using Full SSL Inspection.
We have a case open to TAC since yesterday but no updates yet.

I noticed X-VPN signature was updated on 8-Apr (Mon) in APPI package No. 070424_1.
If this is the case, then I hope a new package is released soon 🙂

Vincent_Croes
Contributor

This is not the case. We do not use full ssl inspect and are still impacted. 

 

Question to Check Point, when can we expect an official statement?

Tom_Hinoue
Advisor
Advisor

Thanks for sharing.
It's strange because we have many customers but don't experience this issue with only HTTPS categorization... Note we do have Anonymizers to be blocked in the policy.

0 Kudos
Hugo_vd_Kooij
Advisor

Not so weird at all. The detection is based on a perceived header. Without HTTPS inspection you will not be able to look into that traffic to match this.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Vincent_Croes
Contributor

Not 100% what you mean by this but we have multiple environments impacted that are not decrypting one bit of SSL. In other words, SSL inspection is not a pre-requisite to experience this issue. 

HTTPS categorization is enabled.

Tom_Hinoue
Advisor
Advisor

Thanks all for the insight 🙂
I was just wondering because that we have more than hundreds of customers, but only 3-4 reports from the field experiencing this issue, and it was just that all of those 3-4 customers had Full SSLINS enabled.

Btw, I just noticed there was a APPI package update No.110424_1 with just "X-VPN" updated.
Maybe the issue was addressed?🤔

0 Kudos
Nenad_Odic
Contributor

Untitled.png

if you meant this one it does not help still traffic is x-vpn categorized

0 Kudos
nfinney1878
Explorer
Explorer

Where do you see that "X-VPN" was updated?

 

0 Kudos
Tom_Hinoue
Advisor
Advisor

I recieved a mail from APPWIKI_UPDATES just around an hour ago. I haven't checked on MGMT yet... probably the package is still not distributed to the update servers?

 

IMG_0732.png

EngineerActo
Explorer

Seems a bit more complicated than that. Incoming traffic to our own website's webservers with HTTPS-inspection and IPS also gets frequently blocked as X-VPN, but not all, even when the same URL's are requested. Not every browser triggers this protection, but mostly Chrome and MS Edge do.
Not all users are impacted by the issue, or many hours after others were inpacted by the issue. Hopefully it is NOT something that get's distributed to pc's with (cloud) shared/synchronized browser profiles, such as google and microsoft stored browser profiles.

StefanSchmidt
Explorer

Same problem here, seeing this since April 8 4pm CEST

0 Kudos
Hugo_vd_Kooij
Advisor

Stefan, Did you open a service request yet? As you seem to be seeing this 2 to 3 days before most other see it.

And this is the sort of additional insight that might help finding a root cause.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events