- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi all,
We have R77.30 gateway, with HTTPS inspection enabled.
When a user visits a website that matches a blocked category (an obvious example - an adult website) if they go via HTTP, the page is blocked and user message is displayed. However if they go to the same site with https, the page loads fully.
In the logs, I can see HTTPS inspection has inspected the page, and also correctly categorized it (matching a category that should be blocked), however there are no logs in URL filtering. (There is a log in URL filtering when its correctly blocked over http)
I have tested with both "categorize HTTPS sites" enabled and disabled, same result, - I believe since we are doing full inspection it should be disabled.
Any ideas?
thanks
How you configured the "Engine Settings"?hold mode?
It's set to background mode, but as its the same URL I am always testing to, and the fact categorization is correct in https inspection logs, I am expecting it to block?
I think that with R80.10 and above there is also a different settings for HTTP .
in case you can see correct categorization with HTTPS, it should block it.
I'm using "hold" mode , but I"m using R80.20/R80.10
Did try to check this one ? How to clear URL Filtering kernel cache?
Are you serving up your UserCheck page using HTTPS? If not, you can switch this in cluster properties -> UserCheck -> UserCheck Web Portal. Edit the http and change it to https. We sometimes would not get the UserCheck message due to "mixed content" issues. This seems to have resolved it for us.
* How to clear URL Filtering kernel cache?
tried clearing the cache, but still the same result
* Access to HTTPS sites is intermittent - web site opens only after the user refreshes the page several times
Had a look but doesnt seem related to our issue
* Are you serving up your UserCheck page using HTTPS
Just tried changing it, still allows me to fully load well known XXX websites through HTTPS, switch to http and blocks me everytime
Just seems like the https inspection blade is not passing the traffic on to the app+URL blade
A few things to check:
Hello,
Categorise HTTPS is currently off (we are doing full https inspection) however have tried it on aswell with the same result.
Yes I am testing across a broad range of generic websites (adult, illegal, cloud sharing) all of which open successfully when using https and blocked correctly when using http.
In R77.30, I believe Categorize HTTPS Sites and HTTPS Inspection are mutually exclusive.
But if you're not using HTTPS Inspection, then you definitely need Categorize HTTPS Sites.
As for troubleshooting this, screenshots of "accepted" traffic you think should be blocked would be helpful.
Also, like Dameon said, if users are using Chrome by default QUIC protocol is enabled and attempts to use udp/443 which cannot be inspected by Check Point so definitely check that out as well. It also seems to fit with HTTP blocks working and mixed results of HTTPS sites. You can check the in browser setting here: chrome://flags/#enable-quic
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY