- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- R80.10 Application Blade Issues
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R80.10 Application Blade Issues
Hi All,
I am using the Application Blade as a last line (I use another system for internet filtering) of blocking unwanted traffic and it seems to be working but the block page does not display correctly and also I get warnings on a policy push.
Under Manage & Settings, Application Control & URL Filtering, Advanced Settings, I have checked Categorize HTTPS websites and this states it will allow filtering without using the HTTPS Inspection but this does not help.
Has anyone else come across this or know a fix at all?
Thanks
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Block page can't be shown on decrypted HTTPs traffic. (In order to show block page, it requires redirect of the traffic which can be done only on clear HTTP traffic OR on traffic directed to proxy).
So in order to get the block page you must enable full HTTPs Inspection solution.
Thanks,
Meital
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Generally if your policy warning clearly states that HTTPS Inspection should be enabled to have some of your rules working, then you need to enable HTTPS Inspection and the "Categorize HTTPS Sites" setting will not be enough for the enforcement.
I will let the other experts elaborate on the meaning of the "Categorize HTTPS Sites" value.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Block page can't be shown on decrypted HTTPs traffic. (In order to show block page, it requires redirect of the traffic which can be done only on clear HTTP traffic OR on traffic directed to proxy).
So in order to get the block page you must enable full HTTPs Inspection solution.
Thanks,
Meital
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to clarify some things
1. Https inspection and https categorization should not be enabled togther
2.if you do not decrypt the traffic you cannot show block pages to https sites
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dor,
Can you please say why we can't have both? (#1)
E.g. I would like to have https inspection for part of the organization and the rest should be bypassed and I still need to enforce filtering of the https resources.
Thanks,
Alex
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We (R&D) are currently working on supporting both features.
So 'Categorize HTTPS Sites' will work on bypassed traffic by 'HTTPS Inspection rulebase'.
I can't commit on when will it be integrated, but if you are interested in it - you can contact me offline: meitalna@checkpoint.com
Thanks,
Meital
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you enable https inspection the https mechanisem will be done on the background.
Explicitly enabling both mechanism will get you troubles with https traffic.
Other problem can arrive with what you want to achive. Once traffic is bypassed by https inspection. The information gathered on the session is not passed to the application and url filtering blade and it will not try to evaluate it again. I am discussing on it with r&d but this is TAC official response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Guys I have this need too, some traffic need ssl inspection and some traffic need to be bypassed. I'm doing it on differents Gateways. SSL inspection is enabled on only one Gateway object, but Https categorization is a Global configuraton and I need this to the other gateway (that one that hanldle the traffic for that networks that we don't need inspection).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The features can be enabled together on SmartConsole.
'Categorize HTTPS Sites' won't work only on GWs were HTTPS Inspection is enabled.
But on GWs were HTTPS Inspection are disabled - it should work.
We (R&D) are currently working on supporting both features on the same GW.
So 'Categorize HTTPS Sites' will work on bypassed traffic by 'HTTPS Inspection rulebase'.
I can't commit on when will it be integrated, but if you are interested in it - you can contact me offline: meitalna@checkpoint.com
Thanks,
Meital
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need a resolution to this as well. I dont have SSL inspection on (yet). I do choose to categorize HTTPS websites because I need to do url filtering and reporting but I cannot get the block page to show. It just spins and times out. This causes confusion among the user base. I used to be able to get block pages in the PaloAlto world without enabling decryption. Any update or guidance is appreciated.