Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
andersplarsson
Participant
Jump to solution

URL Categorization

Hi,

Two questions:

1. Is URL Categorization based on SNI or "Application Name" (CN name ?) when the gateway is deciding on witch category destination falls in to?

2. Does the categorization not being done when destination has a untrusted certificate?

 

Regards,

Anders Larsson

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

In earlier release (pre-R80.30) only CN was used, now verified SNI is used when available.
Part of the verification process is checking the cert provided by the remote server matches the SNI requested by the client.
HTTPS Inspection actually requires the certificate be signed by a valid CA, not sure this is required merely for categorization.
When this fails for HTTPS Inspection, there are definitely log messages.

View solution in original post

10 Replies
PhoneBoy
Admin
Admin

In earlier release (pre-R80.30) only CN was used, now verified SNI is used when available.
Part of the verification process is checking the cert provided by the remote server matches the SNI requested by the client.
HTTPS Inspection actually requires the certificate be signed by a valid CA, not sure this is required merely for categorization.
When this fails for HTTPS Inspection, there are definitely log messages.

andersplarsson
Participant

Thanks for the reply!

If HTTPS Inspection is not being used only URL-categorization, is there any change of how this is categorized for R81.10?

0 Kudos
_Val_
Admin
Admin

As @PhoneBoy mentioned, with R80.40 and up, we are using a patented SNI validation. As part of it, we request a site certificate and make sure it is valid and corresponds to the rest of web request data: SNI and URL.

The URL categorization is part of this process, and it is done via HTTPS even if you did not enable HTTPSi on your security GW.

andersplarsson
Participant

So if the certificate is not trusted there is no categorization? 

/Anders

0 Kudos
PhoneBoy
Admin
Admin

Actually, the change was introduced in R80.30 and backported to R80.20 JHF.
I believe SNI Verification requires HTTPS Inspection to be enabled in R80.20 and R80.30, but it is not required in R80.40 and above.

0 Kudos
the_rock
Legend
Legend

I am pretty sure what phoneboy said is also done by any other major vendors that do https inspection, but thats the gist of it really.

0 Kudos
_Val_
Admin
Admin

That is not exactly true, I am afraid. I think you misunderstood what PH conveyed 🙂

0 Kudos
the_rock
Legend
Legend

How so? 🙂

0 Kudos
_Val_
Admin
Admin

The main differentiator from the rest of the competitors is SNI validation. Instead of taking it for granted, we actually pull the server certificate and compare its details with the SNI data.

This is, or at least was, unique for Check Point when R80.40 was out, and we filed a patent application for it.

Hope this makes sense.

0 Kudos
the_rock
Legend
Legend

A kk, I see what you mean, makes sense. Though, Im pretty positive that Fortinet and PAN do it nowdays as well.

0 Kudos