This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ryan_Ryan
Advisor
‎2018-10-09 04:15 PM

URL Filtering Doesn't work on HTTPS


Hi all,

We have R77.30 gateway, with HTTPS inspection enabled.

When a user visits a website that matches a blocked category (an obvious example - an adult website) if they go via HTTP, the page is blocked and user message is displayed. However if they go to the same site with https, the page loads fully.

In the logs, I can see HTTPS inspection has inspected the page, and also correctly categorized it (matching a category that should be blocked), however there are no logs in URL filtering. (There is a log in URL filtering when its correctly blocked over http)

I have tested with both "categorize HTTPS sites" enabled and disabled, same result, - I believe since we are doing full inspection it should be disabled.

Any ideas?

thanks

9 Replies
Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2018-10-09 10:38 PM

How you configured the "Engine Settings"?hold mode?

0 Kudos
Ryan_Ryan
Advisor
‎2018-10-09 11:05 PM
In response to Ofir_Shikolski

It's set to background mode, but as its the same URL I am always testing to, and the fact categorization is correct in https inspection logs, I am expecting it to block?

0 Kudos
Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2018-10-09 11:13 PM
In response to Ryan_Ryan

I think that with R80.10 and above there is also a different settings for HTTP .

in case you can see correct categorization with HTTPS, it should block it.

I'm using "hold" mode , but I"m using R80.20/R80.10

Did try to check this one ? How to clear URL Filtering kernel cache? 

Access to HTTPS sites is intermittent - web site opens only after the user refreshes the page severa... 

0 Kudos
Alex_Weldon
Contributor
‎2018-10-10 10:53 AM

Are you serving up your UserCheck page using HTTPS? If not, you can switch this in cluster properties -> UserCheck -> UserCheck Web Portal. Edit the http and change it to https. We sometimes would not get the UserCheck message due to "mixed content" issues. This seems to have resolved it for us.

0 Kudos
Ryan_Ryan
Advisor
‎2018-10-10 02:38 PM

* How to clear URL Filtering kernel cache?
tried clearing the cache, but still the same result


* Access to HTTPS sites is intermittent - web site opens only after the user refreshes the page several times
Had a look but doesnt seem related to our issue

* Are you serving up your UserCheck page using HTTPS
Just tried changing it, still allows me to fully load well known XXX websites through HTTPS, switch to http and blocks me everytime

Just seems like the https inspection blade is not passing the traffic on to the app+URL blade

0 Kudos
PhoneBoy
Admin
Admin
‎2018-10-12 12:34 AM

A few things to check:

  • Is Categorize HTTPS Sites on?
  • Is the traffic really HTTPS and not, say, QUIC or HTTP/2? We only categorize HTTP/HTTPS traffic, not QUIC or HTTP/2, which should be blocked in your App Control policies. 
Ryan_Ryan
Advisor
‎2018-10-14 04:59 PM
In response to PhoneBoy

Hello,

Categorise HTTPS is currently off (we are doing full https inspection) however have tried it on aswell with the same result.

Yes I am testing across a broad range of generic websites (adult, illegal, cloud sharing) all of which open successfully when using https and blocked correctly when using http. 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-10-14 05:36 PM
In response to Ryan_Ryan

In R77.30, I believe Categorize HTTPS Sites and HTTPS Inspection are mutually exclusive.

But if you're not using HTTPS Inspection, then you definitely need Categorize HTTPS Sites. 

As for troubleshooting this, screenshots of "accepted" traffic you think should be blocked would be helpful.

Alex_Weldon
Contributor
‎2018-10-15 12:50 PM
In response to PhoneBoy

Also, like Dameon said, if users are using Chrome by default QUIC protocol is enabled and attempts to use udp/443 which cannot be inspected by Check Point so definitely check that out as well. It also seems to fit with HTTP blocks working and mixed results of HTTPS sites. You can check the in browser setting here: chrome://flags/#enable-quic

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top