APPC/URLF enabled added as to the layer and blocking category "Pornography". 

If https://youporn.com is used there is no match for that rule in the Application layer and it's being accepted by the default allow in the end of the application rules. 

If http://youporn.com is used it's being blocked. 

Do you think the *.youporn.com certificate is the problem?

Nope, I think it is a categorization problem. Please report it to Check Point. 

Then perhaps the exception categories should be examined.

Thanks for checking Wolfgang. I hope someone can check it also in R80.10 without https inspection. 

checked with R80.10, blocked without HTTPS inspection

Wolfgang, thanks again for checking. Does R80.10 support having both HTTPS inspection and "Categorize HTTPS websites" enabled concurrently? When you tested did you have both enabled (without having your source machine going through HTTPS inspection?

Right, the reason that full HTTPS Inspection must be enabled in that case is that the server's certificate name/subject does not match the actual domain/website being requested by the user.  In R80.30 it is planned to be able to leverage the Server Name Indication (SNI) provided by the client for filtering, instead of what the server's certificate says.  Should definitely help with this particular situation.  I think there may be a special version of R80.20 that supports SNI inspection as well.

The following is new in r80.30:

- SNI Support

- TLS1.3

Regards

Heiko

Hmm.. Tim, I think I may be missing something here:

The URL itself contains the word "porno".

We may surmise that the back-end categorization of sites would parse it out, we'll have the regex match for the categorization and would prevent even the DNS portion of communication.

So why are we even performing lookup of this URL's IP, connecting to it, analyzing its certificate etc.. ?

Of course relying strictly on DNS is not a solution, for all we know the site could have a URL of "https://www.cakebaking.com" and be a porn site. The issue with Cloudflare is also a possibility, albeit is not a prevalent situation yet. That being said, if we do see the URL in the clear and if the portion of its name does clearly indicate its intended use, why not take advantage of it at this early stage and forego additional processing just to block it?

I also wander if in this case, the categorization is st to "Hold":

And if this will help.

Doesn't matter if the URL requested by the client contains the word "porno", that is not what the firewall is looking at for categorization.  It is looking at the site name in the certificate sent by the remote server, which does not necessarily match the site name requested by the client.  This difference is what will be addressed by SNI inspection.  Some large social media companies have taken advantage of this difference in an attempt to avoid filtering and keep their users engaged 24/7 even at work where the site is supposed to be blocked.  All "to help ensure the privacy of their users".  Yeah right...

What about http:// sites?

I mean what is wrong, conceptually, with the idea of categorization based on the content of the site's name in addition to the SNI? In the end, it is looking at the strings identifying the sites, it is just in case of SNI inspection it is retrieving them from the certs.

Hi D_W,

I have HTTPS inspection active for only specific sources and also categorize HTTPS websites enabled. Turned off HTTPS inspection and the App/URL now stops the porn sites. I have some questions left:

1. What is the reason that having both HTTPS inspection and categorize HTTPS sites doesn't work in R80.10?

2. If i had to choose only one of these in R80.10, forexample HTTPS inspection and turned off categorization of HTTPS sites. How reliable is the APP/URL blade to stop HTTPS sites that belong to pornography category without being HTTPS inspected?

@PhoneBoy  do you have any input on these questions? 

I am having a issue with URL Categorization. Can i clarify when HTTPS Categorization is turned on and i visit a website for example https://www.check4d.com, will the URL filtering check the URL https://www.check4d.com OR the CN of the certificate of the server. The snippet below shows the cert CN = sni172113.cloudflaressl.com. When this URL is keyed into URL categorization , it shows the category of "Computers/Internet". When i key in https://www.check4d.com, it shows category of "Gambling". Tried playing with the rules of blocking Computers/Internet, it works. But when I block category "Gambling" it went through. So I am assuming the URL Categorization is taking the CN url which is SNI172113.clodflaressl.com? Please advise. Thanks all.

We're also experiencing this issues on R80.20 for pornography sites or gambling sites hosted on cloudflare, for example http://13.228.235.219/ .  HTTPS categorization is enabled, but the site is not recognized under HTTPS. We opened a TAC case for another customer on R80.10 with this issue also, and the only viable solution is to enable HTTPS Inspection based on sk121532.

If you recall, I've brought this subject up in our meeting with Top Brass, but am not sure if it registered. The idea is not that this single method must be 100% foolproof, but that it works when it otherwise does not and reduces the workload of the gateways while at it.