Re: Not Inspected Traffic

Matlu · ‎2023-07-14

Hello, everyone,

We are in the process of implementing the IA+APPC&URLF+HTTPS Inspection... blades.

So far everything seems to be going "fine".

We are using the IDC for the iA blade.

We are working with separate layers (1 Firewall layer, 1 APPC+URLF layer).

The rules are working fine so far, but there are some "alerts".

We are blocking access to "Social Networking" for a group of users.

The rule is working, but there is some traffic, such as consumption of the Facebook page, which is not blocked and is allowed to pass.

We are using a self-signed certificate, which is already deployed to the users by GPO.

When a user consumes Facebook via web, the page does open (and this should not happen).

I get the "untrusted site" message from the page, and when I check the certificate, I don't see our certificate, I see the public certificate.

This behavior is happening on some pages, not all.

Do you know what steps can be followed in this scenario, to get pages like Facebook blocked?

Thanks for your help.

Chris_Atkinson · ‎2023-07-14

Are you using Google Chrome to test or are multiple browsers affected?

Is Quic traffic blocked or allowed in the environment?

CCSM R77/R80/ELITE

Matlu · ‎2023-07-14

Hello,

I had not read about "QUIC Traffic", until now.

Where can I validate that?

We have tested in 3 browsers, Chrome, Edge, Mozilla.

They are only for "certain" pages.
Facebook web, is one of them.
The rest of the pages, if it is blocking them by the rule created.

Greetings.

the_rock · ‎2023-07-14

There is built in quic application in R81.20 you can use (not sure lower versions). If not, you can do below:

https://support.checkpoint.com/results/sk/sk111754

Also, I attached how I have it set in my lab. Its only appc+urlf blade in that layer.

Andy

Best,
Andy

Matlu · ‎2023-07-14

Hey, bro

I have version R81.10 in production.

I'm going to check the SK.

The weird thing is that it only happens for certain "web pages".

The rest of the pages are being inspected and blocked according to our policies.

We have the layers separated (as you can see in the following image)

Cheers. 🙂

PhoneBoy · ‎2023-07-14

QUIC traffic is not categorized by Check Point.
There needs to be an explicit rule blocking this service in the Access Policy.

Matlu · ‎2023-07-14

Hello, PhoneBoy.

You would have to create an explicit rule in the Firewall layer, denying the "UDP/443" service, which I understand is what the QUIC uses, and also create an explicit rule in the APPC+URLF layer, is this correct?

Or is it enough just to create the drop rule in the Firewall layer?

Thank you.

the_rock · ‎2023-07-14

Fw layer is good bro. Idea is this...whatever is dropped on first layer, there is no more checks. Whatever is accepted on fw layer, it has to be accepted on all additional layers.

Andy

Best,
Andy

Matlu · ‎2023-07-14

Haaa, Ok.

So, I can define an explicit rule only in the Firewall layer, something like this:

Source: Any
Destination: Any
Service: QUIC (UDP/443)
Action: DROP

With this explicit rule, it would be enough for me to block the famous "QUIC", right?

the_rock · ‎2023-07-14

Yes sir 🙂

Best,
Andy

Matlu · ‎2023-07-14

I will test the recommendation in the work window, because it is very rare that only for certain pages, it does not apply the block filter for web pages.

Chris_Atkinson · ‎2023-07-14

Are you able to provide a screenshot of the log card showing that the traffic was allowed?

(Please redact sensitive information).

CCSM R77/R80/ELITE

Are you a member of CheckMates?

Not Inspected Traffic