This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-07-14 08:14 AM

Not Inspected Traffic

Hello, everyone,

We are in the process of implementing the IA+APPC&URLF+HTTPS Inspection... blades.

So far everything seems to be going "fine".

We are using the IDC for the iA blade.

We are working with separate layers (1 Firewall layer, 1 APPC+URLF layer).

The rules are working fine so far, but there are some "alerts".

We are blocking access to "Social Networking" for a group of users.

The rule is working, but there is some traffic, such as consumption of the Facebook page, which is not blocked and is allowed to pass.

We are using a self-signed certificate, which is already deployed to the users by GPO.

When a user consumes Facebook via web, the page does open (and this should not happen).

I get the "untrusted site" message from the page, and when I check the certificate, I don't see our certificate, I see the public certificate.

This behavior is happening on some pages, not all.

Do you know what steps can be followed in this scenario, to get pages like Facebook blocked?

Thanks for your help.

0 Kudos
11 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-07-14 09:11 AM

Are you using Google Chrome to test or are multiple browsers affected?

Is Quic traffic blocked or allowed in the environment?

CCSM R77/R80/ELITE
0 Kudos
Matlu
Advisor
‎2023-07-14 09:29 AM
In response to Chris_Atkinson

Hello,

I had not read about "QUIC Traffic", until now.

Where can I validate that?

We have tested in 3 browsers, Chrome, Edge, Mozilla.

They are only for "certain" pages.
Facebook web, is one of them.
The rest of the pages, if it is blocking them by the rule created.

Greetings.

0 Kudos
the_rock
Legend
Legend
‎2023-07-14 10:39 AM
In response to Matlu

There is built in quic application in R81.20 you can use (not sure lower versions). If not, you can do below:

https://support.checkpoint.com/results/sk/sk111754

Also, I attached how I have it set in my lab. Its only appc+urlf blade in that layer.

 

Andy

 

Screenshot_1.png

0 Kudos
Matlu
Advisor
‎2023-07-14 10:48 AM
In response to the_rock

Hey, bro

I have version R81.10 in production.

I'm going to check the SK.

The weird thing is that it only happens for certain "web pages".

The rest of the pages are being inspected and blocked according to our policies.

We have the layers separated (as you can see in the following image)

IM2.pngIM1.png

 

Cheers. 🙂

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-14 03:44 PM
In response to Matlu

QUIC traffic is not categorized by Check Point.
There needs to be an explicit rule blocking this service in the Access Policy.

0 Kudos
Matlu
Advisor
‎2023-07-14 04:02 PM
In response to PhoneBoy

Hello, PhoneBoy.

You would have to create an explicit rule in the Firewall layer, denying the "UDP/443" service, which I understand is what the QUIC uses, and also create an explicit rule in the APPC+URLF layer, is this correct?

Or is it enough just to create the drop rule in the Firewall layer?

Thank you.

0 Kudos
the_rock
Legend
Legend
‎2023-07-14 04:05 PM
In response to Matlu

Fw layer is good bro. Idea is this...whatever is dropped on first layer, there is no more checks. Whatever is accepted on fw layer, it has to be accepted on all additional layers.

Andy

0 Kudos
Matlu
Advisor
‎2023-07-14 04:10 PM
In response to the_rock

Haaa, Ok.

So, I can define an explicit rule only in the Firewall layer, something like this:

Source: Any
Destination: Any
Service: QUIC (UDP/443)
Action: DROP

With this explicit rule, it would be enough for me to block the famous "QUIC", right?

the_rock
Legend
Legend
‎2023-07-14 04:23 PM
In response to Matlu

Yes sir 🙂

0 Kudos
Matlu
Advisor
‎2023-07-14 05:17 PM
In response to the_rock

I will test the recommendation in the work window, because it is very rare that only for certain pages, it does not apply the block filter for web pages.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-07-14 08:26 PM
In response to Matlu

Are you able to provide a screenshot of the log card showing that the traffic was allowed?

(Please redact sensitive information).

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events