URL Filtering Doesn't work on HTTPS

Ryan_Ryan · ‎2018-10-09

Hi all,

We have R77.30 gateway, with HTTPS inspection enabled.

When a user visits a website that matches a blocked category (an obvious example - an adult website) if they go via HTTP, the page is blocked and user message is displayed. However if they go to the same site with https, the page loads fully.

In the logs, I can see HTTPS inspection has inspected the page, and also correctly categorized it (matching a category that should be blocked), however there are no logs in URL filtering. (There is a log in URL filtering when its correctly blocked over http)

I have tested with both "categorize HTTPS sites" enabled and disabled, same result, - I believe since we are doing full inspection it should be disabled.

Any ideas?

thanks

Ofir_Shikolski · ‎2018-10-09

How you configured the "Engine Settings"?hold mode?

Ryan_Ryan · ‎2018-10-09

It's set to background mode, but as its the same URL I am always testing to, and the fact categorization is correct in https inspection logs, I am expecting it to block?

Ofir_Shikolski · ‎2018-10-09

I think that with R80.10 and above there is also a different settings for HTTP .

in case you can see correct categorization with HTTPS, it should block it.

I'm using "hold" mode , but I"m using R80.20/R80.10

Did try to check this one ? How to clear URL Filtering kernel cache?

+ Access to HTTPS sites is intermittent - web site opens only after the user refreshes the page severa...

Alex_Weldon · ‎2018-10-10

Are you serving up your UserCheck page using HTTPS? If not, you can switch this in cluster properties -> UserCheck -> UserCheck Web Portal. Edit the http and change it to https. We sometimes would not get the UserCheck message due to "mixed content" issues. This seems to have resolved it for us.

Ryan_Ryan · ‎2018-10-10

* How to clear URL Filtering kernel cache?
tried clearing the cache, but still the same result

* Access to HTTPS sites is intermittent - web site opens only after the user refreshes the page several times
Had a look but doesnt seem related to our issue

* Are you serving up your UserCheck page using HTTPS
Just tried changing it, still allows me to fully load well known XXX websites through HTTPS, switch to http and blocks me everytime

Just seems like the https inspection blade is not passing the traffic on to the app+URL blade

PhoneBoy · ‎2018-10-12

A few things to check:

Is Categorize HTTPS Sites on?

Is the traffic really HTTPS and not, say, QUIC or HTTP/2? We only categorize HTTP/HTTPS traffic, not QUIC or HTTP/2, which should be blocked in your App Control policies.

Ryan_Ryan · ‎2018-10-14

Hello,

Categorise HTTPS is currently off (we are doing full https inspection) however have tried it on aswell with the same result.

Yes I am testing across a broad range of generic websites (adult, illegal, cloud sharing) all of which open successfully when using https and blocked correctly when using http.

PhoneBoy · ‎2018-10-14

In R77.30, I believe Categorize HTTPS Sites and HTTPS Inspection are mutually exclusive.

But if you're not using HTTPS Inspection, then you definitely need Categorize HTTPS Sites.

As for troubleshooting this, screenshots of "accepted" traffic you think should be blocked would be helpful.

Alex_Weldon · ‎2018-10-15

Also, like Dameon said, if users are using Chrome by default QUIC protocol is enabled and attempts to use udp/443 which cannot be inspected by Check Point so definitely check that out as well. It also seems to fit with HTTP blocks working and mixed results of HTTPS sites. You can check the in browser setting here: chrome://flags/#enable-quic