This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Neil_Davey
Participant
‎2017-08-14 06:04 AM

R80.10 Application Blade Issues

Jump to solution

Hi All,

I am using the Application Blade as a last line (I use another system for internet filtering) of blocking unwanted traffic and it seems to be working but the block page does not display correctly and also I get warnings on a policy push.

Under Manage & Settings, Application Control & URL Filtering, Advanced Settings, I have checked Categorize HTTPS websites and this states it will allow filtering without using the HTTPS Inspection but this does not help.

Has anyone else come across this or know a fix at all?

Thanks

Preview file
47 KB
Preview file
31 KB
Preview file
10 KB
0 Kudos
1 Solution

Accepted Solutions
Meital_Natanson
Employee
Employee
‎2017-08-14 08:49 AM

Jump to solution

Hi,

Block page can't be shown on decrypted HTTPs traffic. (In order to show block page, it requires redirect of the traffic which can be done only on clear HTTP traffic OR on traffic directed to proxy).

So in order to get the block page you must enable full HTTPs Inspection solution.

Thanks,

Meital

View solution in original post

0 Kudos
9 Replies
Tomer_Sole
Employee Alumnus
Employee Alumnus
‎2017-08-14 08:03 AM

Jump to solution

Hi,

Generally if your policy warning clearly states that HTTPS Inspection should be enabled to have some of your rules working, then you need to enable HTTPS Inspection and the "Categorize HTTPS Sites" setting will not be enough for the enforcement.

I will let the other experts elaborate on the meaning of the "Categorize HTTPS Sites" value.

0 Kudos
Meital_Natanson
Employee
Employee
‎2017-08-14 08:49 AM

Jump to solution

Hi,

Block page can't be shown on decrypted HTTPs traffic. (In order to show block page, it requires redirect of the traffic which can be done only on clear HTTP traffic OR on traffic directed to proxy).

So in order to get the block page you must enable full HTTPs Inspection solution.

Thanks,

Meital

0 Kudos
Dor_Marcovitch
Advisor
‎2017-08-15 10:12 AM

Jump to solution

Just to clarify some things

1. Https inspection and https categorization should not be enabled togther 

2.if you do not decrypt the traffic you cannot show block pages to https sites 

Alex_Sazonov
Employee
Employee
‎2017-08-15 10:56 PM
In response to Dor_Marcovitch

Jump to solution

Hi Dor,

Can you please say why we can't have both? (#1)

E.g. I would like to have https inspection for part of the organization and the rest should be bypassed and I still need to enforce filtering of the https resources.

Thanks,

Alex

Meital_Natanson
Employee
Employee
‎2017-08-17 04:41 AM
In response to Alex_Sazonov

Jump to solution

Hi,

We (R&D) are currently working on supporting both features.

So 'Categorize HTTPS Sites' will work on bypassed traffic by 'HTTPS Inspection rulebase'.

I can't commit on when will it be integrated, but if you are interested in it - you can contact me offline: meitalna@checkpoint.com

Thanks,

Meital

Dor_Marcovitch
Advisor
‎2017-08-16 07:01 AM

Jump to solution

 When you enable https inspection the https mechanisem will be done on the background.

Explicitly enabling both mechanism will get you troubles with https traffic.

Other problem can arrive with what you want to achive. Once traffic is bypassed by https inspection. The information gathered on the session is not passed to the application and url filtering blade and it will not try to evaluate it again. I am discussing on it with r&d but this is TAC official response

Felipe_Goulart
Explorer
‎2017-08-16 10:05 AM
In response to Dor_Marcovitch

Jump to solution

Guys I have this need too, some traffic need ssl inspection and some traffic need to be bypassed. I'm doing it on differents Gateways. SSL inspection is enabled on only one Gateway object, but Https categorization is a Global configuraton and I need this to the other gateway (that one that hanldle the traffic for that networks that we don't need inspection).

0 Kudos
Meital_Natanson
Employee
Employee
‎2017-08-17 04:43 AM
In response to Felipe_Goulart

Jump to solution

Hi,

The features can be enabled together on SmartConsole.

'Categorize HTTPS Sites' won't work only on GWs were HTTPS Inspection is enabled. 

But on GWs were HTTPS Inspection are disabled - it should work.

We (R&D) are currently working on supporting both features on the same GW.

So 'Categorize HTTPS Sites' will work on bypassed traffic by 'HTTPS Inspection rulebase'.

I can't commit on when will it be integrated, but if you are interested in it - you can contact me offline: meitalna@checkpoint.com

Thanks,

Meital

0 Kudos
Justin_Hickey
Collaborator
‎2018-01-24 05:50 AM

Jump to solution

I need a resolution to this as well. I dont have SSL inspection on (yet). I do choose to categorize HTTPS websites because I need to do url filtering and reporting but I cannot get the block page to show. It just spins and times out. This causes confusion among the user base. I used to be able to get block pages in the PaloAlto world without enabling decryption. Any update or guidance is appreciated. 

0 Kudos