Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Christian_Garci
Participant
Jump to solution

Block Only YouTube not Google Applications

Hi Mates,
One question please, we need block only YouTube in App Control and Url Filtering. 
When we try to do that via YouTube App of CheckPoint, the Block dont work becouse Google Service is allow.
When we block Google Service, these Block Gmail and other Google Applications.
The last rule is Allow All and we are not using HTTPs Inspection.

MGMT is 80.10 and Firewall are 77.30.

Do you have any idea how to get to this solution ?

Thanks

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

You need to use HTTPS Inspection.

Google uses a wildcard certificate for many of their properties.

This makes it difficult to differentiate between them without using HTTPS Inspection.

If you use HTTPS Inspection, you can differentiate between these services and enforce the desired policy.

View solution in original post

21 Replies
PhoneBoy
Admin
Admin

You need to use HTTPS Inspection.

Google uses a wildcard certificate for many of their properties.

This makes it difficult to differentiate between them without using HTTPS Inspection.

If you use HTTPS Inspection, you can differentiate between these services and enforce the desired policy.

Christian_Garci
Participant

Ok I understand, HTTPs inspection is necessary but the FW are in HA (Active/StandBy), so what would be the best way to have Check Point Certificates? I mean, if we created each certificate in each FW that would not be a problem when the FW failover?

Thanks

PhoneBoy
Admin
Admin

There is a single Certificate Authority for both gateways in the cluster, which your clients will need to be configured to trust.

This can either be an internal CA or can come from your existing enterprise CA. 

Gateways generate the necessary certificates on the fly signed with this CA key as sites are visited.

0 Kudos
Christian_Garci
Participant

Hi Dameon,

For the FW is clear now but we have too Server Management in HA (Active/Standby), when the StandBy take control What would be the recommendation with the certificate?

Many thanks

PhoneBoy
Admin
Admin

The CA used for HTTPS Inspection is just like any other configuration: synced between management members.

0 Kudos
Hugo_vd_Kooij
Advisor

As far as I know you can put in your own trusted intermediate CA certificate in there for HTTPS inspection.

And you can use it on all gateways if you like.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Evren_Buyer
Contributor

Hi everyone,

I'm new in old question. When we start https inspection on for youtube, yes it blocks the connections but cannot redirect to block notification and it's a problem. Cause this time, clients start to call you about the web site failure instead that they knew they're blocked. Is there a way to resolve that?

Vladimir
Champion
Champion

It does look like you are not inspecting HTTPS.

Are you sure it is configured properly, certificate is distributed to the clients' PCs and that the sites in question are not in bypass?

Additionally, I would recommend blocking QUIC protocol outright high-up in your access control policy in order to avoid side channel bypass of calls made by some of the browsers at some of the sites that will elude the HTTPS inspection. 

PhoneBoy
Admin
Admin

The only way you get the block page is to enable HTTPS Inspection.

Otherwise, it is not possible to inject the block page. 

Evren_Buyer
Contributor

I'm really thankful you both Vladimir Yakovlev‌ and Dameon Welch Abernathy‌ for accurate answers and guidance.

Unfortunately I do inspect youtube int HTTPS inspection as you see my policy rule below. But I think the problem is again the certificate which  both google search and youtube are using the same.

In my case Google Search is not in bypass rule but the Youtube is. So, somehow GW is messing up when the URL is youtube.com and the certificate is Google. But when I start the inspect both (which is totally stupidity to inspect google search or search engines category) everything works fine. I tried to prevent the problem and "redirection" to work properly by  adding a custom rule that contains all youtube URLs just before the bypass cleanup rule  but again no success, cause I think the HTTPS bypass inspection is working before the URL inspection.

This is a difficult situation:

cause according the my HTTPS inspection rule base; 

1) Google Search or Search Engines category are both NOT in bypass rule which is 8th in my rule base.

2) Media Streams that includes  Youtube IS INSPECTED by rule number 9

3) Rest is bypassed by CLEANUP RULE number 10

PhoneBoy
Admin
Admin

The HTTPS Inspection policy only supports URL Filtering categories.

It does not support App Control categories or custom ones.

Which means your Rule 1 has no effect.

0 Kudos
Vladimir
Champion
Champion

May be it makes sense to restrict the use of the objects that shall not be used in the context of the dashboard?

0 Kudos
PhoneBoy
Admin
Admin

Yes, the fact those objects are allowed to be used in SmartDashboard is...problematic.

0 Kudos
Vladimir
Champion
Champion

Would you mind passing it onto R&D?

0 Kudos
PhoneBoy
Admin
Admin

I'm sure Tomer Sole‌ is paying attention to this thread Smiley Happy

Evren_Buyer
Contributor

Hi Vladimir,

I put that rule -just in case- and thought maybe it works. But apparently not ! Smiley Happy

I deleted rule 7 and replaced the inspection rule 9 (now 😎 with bypass rule 8(now 7), nothing changed. https://www.youtube.com/  is still recognized as google.com and  bypassed due to CLEANUP Rule 9  by HTTPS Inspection.

It keeps creating https bypass and Application Control drop logs in an endless loop, cause it does not redirect to the block page and end the connection:

Browser snapshot is much more funny:

Vladimir
Champion
Champion

Can you post the screenshot of the actual access control policy segment that controls access to these applications?

We are looking at the inspection and bypass rules of the HTTPS policy, but I have no idea what the rules that are trying to enforce the access actually are.

0 Kudos
Vladimir
Champion
Champion

Works perfectly fine if:

1. You are inspecting all traffic

2. You are blocking access to youtube in your Access Policy rules

3. You have ICA certificate installed on your PC to get the UserCheck page displayed correctly

 

Vladimir
Champion
Champion

With bypass for search engines configured in HTTPS, I am seeing same thing as you are:

  

With connection being dropped without UserCheck:

And the difference in logs looking like this:

The green section was block with redirect (no bypass).

The red section is block with No UserCheck (bypass for search engines with Application Control Blade in HTTPS inspection policy).

Evren_Buyer
Contributor

Vladimir thank you a lot for paying much attention. I'm glad someone came to my conclusion at last...

The point is:

If you inspect All Traffic or Search Engines (so google.com can be included) (to do so are both madness according to my opinion!) you may block and redirect youtube requests.

If you DO NOT inspect All Traffic or Search Engines (so google.com can be included) you may block youtube (with tens of logs per connection)  but impossible to redirect to block page.

SO,

Isn't  there a way to work this on. I mean inspecting Search Engines or All Traffic must not be the one and only way to do so...

I really appreciate for your time and interest on this matter.

Vladimir
Champion
Champion

Evren,

Generally speaking you do want to inspect majority of the traffic, search engines included.

It only makes sense to exclude categories due to legal requirements, (i.e. banking, healthcare), trusted software update services and the sites that are broken by inspection.

Because Google using a wildcard certificate for all of its services, you cannot differentiate the context before decryption:

  

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events