This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ugur_Urel
Explorer
‎2019-05-15 05:26 AM

User web activity application detection

Hi all,

In the "Application and URL Filtering" report of the Smart Event, in the "high bandwidth user" view, for some users we see applications like "HTTP/2 over TLS" and "SSL Protocol". Beside these applications we can also see applications like youtube, facebook etc. (I have attached a picture from an example report)

What we want to understand is what kind of access generates these traffics? ("HTTP/2 over TLS" and "SSL Protocol"). These applications seems like protocols, not applications, so in stead of these shouldn't we need to see the real application/site?

Capture.PNG

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2019-05-17 03:45 PM

HTTP2 comes from web browsers.
SSL shows for things that aren't necessarily web browsers but are clearly communicating using it.
Would need to see screenshots of example logs and the relevant matched rule(s) to comment further.
0 Kudos
Chris_Atkinson
Employee
Employee
‎2019-05-18 05:36 AM
In response to PhoneBoy

For additional context is the gateway configured for HTTPS inspection and what version is it installed with , R80.30 (with SNI)?

0 Kudos
Ugur_Urel
Explorer
‎2019-05-27 05:36 AM
In response to Chris_Atkinson

Hi,

 

Thank you for the replies. I have attached some logs and the relevant rule. In the rule "Genel Erisi..." is a site group and contains some URL categories.

Gateway is configured for HTTPS inspection and running on R77.30. But I'm not sure about SNI, where can I check if SNI enabled?

1.PNG2.PNG3.PNG

0 Kudos