Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Neil_Davey
Participant
Jump to solution

R80.10 Application Blade Issues

Hi All,

I am using the Application Blade as a last line (I use another system for internet filtering) of blocking unwanted traffic and it seems to be working but the block page does not display correctly and also I get warnings on a policy push.

Under Manage & Settings, Application Control & URL Filtering, Advanced Settings, I have checked Categorize HTTPS websites and this states it will allow filtering without using the HTTPS Inspection but this does not help.

Has anyone else come across this or know a fix at all?

Thanks

1 Solution

Accepted Solutions
Meital_Natanson
Employee
Employee

Hi,

Block page can't be shown on decrypted HTTPs traffic. (In order to show block page, it requires redirect of the traffic which can be done only on clear HTTP traffic OR on traffic directed to proxy).

So in order to get the block page you must enable full HTTPs Inspection solution.

Thanks,

Meital

View solution in original post

9 Replies
Tomer_Sole
Mentor
Mentor

Hi,

Generally if your policy warning clearly states that HTTPS Inspection should be enabled to have some of your rules working, then you need to enable HTTPS Inspection and the "Categorize HTTPS Sites" setting will not be enough for the enforcement.

I will let the other experts elaborate on the meaning of the "Categorize HTTPS Sites" value.

Meital_Natanson
Employee
Employee

Hi,

Block page can't be shown on decrypted HTTPs traffic. (In order to show block page, it requires redirect of the traffic which can be done only on clear HTTP traffic OR on traffic directed to proxy).

So in order to get the block page you must enable full HTTPs Inspection solution.

Thanks,

Meital

Dor_Marcovitch
Advisor

Just to clarify some things

1. Https inspection and https categorization should not be enabled togther 

2.if you do not decrypt the traffic you cannot show block pages to https sites 

Alex_Sazonov
Employee
Employee

Hi Dor,

Can you please say why we can't have both? (#1)

E.g. I would like to have https inspection for part of the organization and the rest should be bypassed and I still need to enforce filtering of the https resources.

Thanks,

Alex

Meital_Natanson
Employee
Employee

Hi,

We (R&D) are currently working on supporting both features.

So 'Categorize HTTPS Sites' will work on bypassed traffic by 'HTTPS Inspection rulebase'.

I can't commit on when will it be integrated, but if you are interested in it - you can contact me offline: meitalna@checkpoint.com

Thanks,

Meital

Dor_Marcovitch
Advisor

 When you enable https inspection the https mechanisem will be done on the background.

Explicitly enabling both mechanism will get you troubles with https traffic.

Other problem can arrive with what you want to achive. Once traffic is bypassed by https inspection. The information gathered on the session is not passed to the application and url filtering blade and it will not try to evaluate it again. I am discussing on it with r&d but this is TAC official response

Felipe_Goulart
Explorer

Guys I have this need too, some traffic need ssl inspection and some traffic need to be bypassed. I'm doing it on differents Gateways. SSL inspection is enabled on only one Gateway object, but Https categorization is a Global configuraton and I need this to the other gateway (that one that hanldle the traffic for that networks that we don't need inspection).

Meital_Natanson
Employee
Employee

Hi,

The features can be enabled together on SmartConsole.

'Categorize HTTPS Sites' won't work only on GWs were HTTPS Inspection is enabled. 

But on GWs were HTTPS Inspection are disabled - it should work.

We (R&D) are currently working on supporting both features on the same GW.

So 'Categorize HTTPS Sites' will work on bypassed traffic by 'HTTPS Inspection rulebase'.

I can't commit on when will it be integrated, but if you are interested in it - you can contact me offline: meitalna@checkpoint.com

Thanks,

Meital

Justin_Hickey
Collaborator

I need a resolution to this as well. I dont have SSL inspection on (yet). I do choose to categorize HTTPS websites because I need to do url filtering and reporting but I cannot get the block page to show. It just spins and times out. This causes confusion among the user base. I used to be able to get block pages in the PaloAlto world without enabling decryption. Any update or guidance is appreciated. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events