This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bruno_Moniz
Participant
‎2019-01-07 07:53 AM

URL Filtering and Application Control in my R80.20 not dropping categories

Hello everyone!

I'm having a strange behavior with URL Filtering and Application Control in my R80.20.

In the beginning, when we installed the blade for the first time, we created a Drop (with Block Notification) rule in Application to block stuff like Media Streams, Sex, Spam, etc., and it was working perfectly. Except for youtube. I know that we need to have HTTPS Inspection active for this to work properly, but it was working for almost everything (facebook, twitter, and others).

The rule:

Then we tried to activate HTTPS Inspection, but something went wrong and all https site were having problems. We decided to revert the activation.

After this, all categories in this rule are not dropping. The behavior is always the same:

- We access the website.

- Chrome or IE gives us "It's not possible to access the site" with the ERR_CONNECTION_RESET.

- After 1 or 2 seconds, the site refreshes and enters the website.

I've never seen this problem. I've searched everywhere and did not find anything related to it.

What bothers me is that it was working and suddenly, puff Smiley Sad 

Any thoughts of what I can do to find the root cause for what's happening?

Best regards,

Bruno Moniz

18 Replies
Alessandro_Marr
Advisor
‎2019-01-08 03:15 AM

Hello Bruno, did you check sk92888?

when you enabled http inspection you also installed the certificate on the computers??

0 Kudos
Bruno_Moniz
Participant
‎2019-01-08 05:31 AM
In response to Alessandro_Marr

Hello Alessandro,

The first time we activated https inspection we:

- imported the certificate with a password to the gateway.

- imported the same certificate with a password and distributed by GPO in Trusted Root Certificate.

It didn't work.

Now we have made another configuration but didn't tested it yet:

imported the certificate with a password to the gateway.

- exported the .cer certificate from the gateway.

- imported and distributed the .cer file in Trusted Root Certificate Authorities and in Trusted Publishers.

But isn't weird that when we rolled back the activation of https inspection, suddenly, categories defined in some rules of URL and Application Filtering stopped working? They were working before activation.

Best regards,

Bruno

Alessandro_Marr
Advisor
‎2019-01-11 10:08 AM
In response to Bruno_Moniz

Do you have secureXL enabled? 

0 Kudos
Bruno_Moniz
Participant
‎2019-01-14 08:31 AM
In response to Alessandro_Marr

Alessandro de Lima Marreiro escreveu:

Do you have secureXL enabled? 

Yes, I have.

0 Kudos
Matt_Ricketts
Employee
Employee
‎2019-01-11 03:01 PM

It seems to me like SSLi is still being enforced. Or at least that is what it sounds like. In Chrome, when you get that ERR Connection Reset, hit F12, click on Security and View the cert. Is it the proper cert for that site?

The other thing you may want to do is clear your cache, or try Incognito mode to that same reset site. I literally this morning had an issue connecting to a SSL site but it worked inside of Incoginito. Clearing my cache corrected it. Granted I do not have SSLi enabled, but it worked a few hours before.

Bruno_Moniz
Participant
‎2019-01-14 08:26 AM
In response to Matt_Ricketts

Matt Ricketts escreveu:

It seems to me like SSLi is still being enforced. Or at least that is what it sounds like. In Chrome, when you get that ERR Connection Reset, hit F12, click on Security and View the cert. Is it the proper cert for that site?

I've walked this path when trying to figure it out what was happening. It has the proper cert for the site.

 

Matt Ricketts escreveu:

The other thing you may want to do is clear your cache, or try Incognito mode to that same reset site. I literally this morning had an issue connecting to a SSL site but it worked inside of Incoginito. Clearing my cache corrected it. Granted I do not have SSLi enabled, but it worked a few hours before.

I've tried this too, without success.

0 Kudos
tapiwaah
Explorer
‎2021-02-17 12:05 AM
In response to Matt_Ricketts

I had the same issue and I clear cache on chrome and its now working.

0 Kudos
Bruno_Moniz
Participant
‎2019-01-14 08:47 AM

Hello everyone,

I have some interesting updates for you all.

With the help of our support contract team, we found out that the Application Control and URL Filtering Rules with Block Notification are causing the bypass of the rule. If we add just one rule with block notification all goes crazy.

Our block notifications are in Portuguese and I configured the notification to appear only on Portuguese, disabling the English one. I also noticed that by default, the preferred language for new UserCheck messages are English and don't know if this is a problem.

The problem was escalated to Checkpoint support, let's see what happens now.

Best regards,

Bruno Moniz

0 Kudos
Alessandro_Marr
Advisor
‎2019-01-14 09:53 AM
In response to Bruno_Moniz

Depois da resposta acima eu precisa responder em português também... rs... já vi cenários em que colocaram o texto em português na configuração do idioma Inglês para contornar problemas.... 

Bruno_Moniz
Participant
‎2019-01-14 10:37 AM
In response to Alessandro_Marr

Alessandro de Lima Marreiro escreveu:

Depois da resposta acima eu precisa responder em português também... rs... já vi cenários em que colocaram o texto em português na configuração do idioma Inglês para contornar problemas.... 

Se tiver que ser

0 Kudos
ramtinrezaei
Explorer
‎2019-08-26 12:34 AM
In response to Bruno_Moniz

hello,

 

do you have any update for this issue because i have a same one?

 

thanks in advance

0 Kudos
lucafabbri365
Collaborator
‎2019-08-26 11:24 PM

Hello @Bruno_Moniz,

do you have any update regarding this issue? We are experiencing exactly the same: 

1. Sometimes (it is happening randomly), the browser gives "ERR_CONNECTION_RESET"
2. After 1 or 2 seconds, the site refreshes and enters the website.

The site itself doesn't belong to any blocked category. We have similar categories blocking rule with block notification message (English).

Environment: Check Point R80.20 cluster (two nodes) with Take 87 and SecureXL enabled.

Thank you,
Luca

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-08-27 01:56 AM
In response to lucafabbri365

First problem I have seen from this thread is that the certificate used was wrong it was not a Certificate Authority but a SSL certificate.
The gateway needs a subordinate CA to be able to generate it's own certificates. Either create a subordinate CA from a MS Certificate server, as this is trusted already by your clients that are connected to your AD, OR create one on the Check Point SmartConsole and distribute the CA files by GPO.
Regards, Maarten
0 Kudos
lucafabbri365
Collaborator
‎2019-08-27 02:20 AM
In response to Maarten_Sjouw

Hello @Maarten_Sjouw ,
we are using Microsoft Certification Authority (AD integrated); Check Point is using a subordinate CA (see example below).

Check Point CA.png

So this shouldn't be the case.

Bye,
Luca

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-08-27 02:33 AM
In response to lucafabbri365

Please check the Website Categorization mode, it could be set to Hold
to get there: in the left select Manage & Settings - Blades - Application Control & URL Filtering - advanced settings - Check Point online web service
Regards, Maarten
0 Kudos
lucafabbri365
Collaborator
‎2019-08-27 03:05 AM
In response to Maarten_Sjouw

Hello @Maarten_Sjouw,
it was set as "Background - requests are allowed until categorization is complete".

Categorization.png

All websites should be allowed until categorization is complete. Websites for which I get the error "ERR_CONNECTION_RESET" don't belong to a blocked category.
Instead, when I try to surf to website not-yet-categorized but belonging to a blocked category (e.g. pornography), I can access it until the categorization process finishes (so setting above is met).

So, does the setting above really have to do with the encountered issue?

Bye,
Luca

0 Kudos
thomas_murray
Explorer
‎2019-11-25 07:35 AM
In response to lucafabbri365

Was a solution to this found? I am seeing similar issue with connection resets in chrome appearing across multiple websites

 

Thanks,
Tom

0 Kudos
jmdesco
Explorer
‎2019-12-16 09:23 AM
In response to thomas_murray

We do not have SSL inspection enabled but we are also seeing an issue of being allowed in Security policy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events