This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
pedkha1
Participant
‎2019-10-18 10:10 AM
Jump to solution

web filtering with https inspection disabled

Hello

I want to do web filtering for my wifi guest users and but it doesent work.

https inspection disabled for the Guest subnet so how can i achieve it without https inspection

I added below rule to WF and still i can see traffic is passing through

 

 
 
 
 
1 Solution

Accepted Solutions
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2019-10-20 12:48 PM
Jump to solution

Hi @pedkha1,

R80.30/R80.20  with enabled HTTPS interception:

If the https interseption is enabled, the parameter host from http can be used for the url because the traffic is analyzed by active streaming. Check Point Active Streaming (CPAS) allow the changing of data, we play the role of “man in the middle”. CPAS breaks the connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.). An application is register to CPAS when a connection start and supply callbacks for event handler and read handler. Several protocols uses CPAS, for example: HTTPS, VoIP (SIP, Skinny/SCCP, H.323, etc.), Security Servers processes, etc. CPAS breaks the HTTPS connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.) 

More read here: R80.x Security Gateway Architecture (Content Inspection) 

 

R80.30/R80.20 without enabled HTTPS interception:

If the https interseption is disabled, SNI is used to recognize the virtual URL for application control and url filtering.

More read here: URL Filtering using SNI for HTTPS websites.pdf 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
‎2019-10-18 04:18 PM
Jump to solution

Not sure what happened to the rule you're using.
In any case, please describe what you expect to happen versus what is actually happening.
If the traffic is being accepted when it should be dropped (or vice versa), what rule is it being accepted on instead and what is that rule?
Also what version/JHF level?

In general, if you are doing App Control/URL Filtering without HTTPS Inspection, R80.30 will be a much better choice as we can filter on Verified SNI.
pedkha1
Participant
‎2019-10-19 10:19 AM
In response to PhoneBoy
Jump to solution

Hello

thanks for the answer, we are at sw level r80.20M1 and i expect to be dropped in place of accept.

i simply want to filter harmful sites for a subnet that belong to guest users.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-19 11:06 AM
In response to pedkha1
Jump to solution

The more specifics you can provide about the rule, the sites actually being accessed, etc, the more we can help.

R80.20.M1 is not a gateway release, what about your gateway?
Also, we do not jumbo hotfixes for R80.20.M1 and highly recommend upgrading to R80.30.
0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2019-10-20 12:48 PM
Jump to solution

Hi @pedkha1,

R80.30/R80.20  with enabled HTTPS interception:

If the https interseption is enabled, the parameter host from http can be used for the url because the traffic is analyzed by active streaming. Check Point Active Streaming (CPAS) allow the changing of data, we play the role of “man in the middle”. CPAS breaks the connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.). An application is register to CPAS when a connection start and supply callbacks for event handler and read handler. Several protocols uses CPAS, for example: HTTPS, VoIP (SIP, Skinny/SCCP, H.323, etc.), Security Servers processes, etc. CPAS breaks the HTTPS connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.) 

More read here: R80.x Security Gateway Architecture (Content Inspection) 

 

R80.30/R80.20 without enabled HTTPS interception:

If the https interseption is disabled, SNI is used to recognize the virtual URL for application control and url filtering.

More read here: URL Filtering using SNI for HTTPS websites.pdf 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
pedkha1
Participant
‎2019-10-21 09:28 AM
In response to HeikoAnkenbrand
Jump to solution

thanks for the email and document.

the reason i didn't upgrade to r80.30 IS because when we upgraded to R80.20 ,we face too many issues and software bugs and i am not sure if R80.30 is stable at this point or not.

so using SNI is the best idea for my question

do you know if R80.30 has the same issues like R80.20 ?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-24 10:18 AM
In response to pedkha1
Jump to solution

R80.30 is the generally recommended release at this point, particularly with the latest recommended JHF.
0 Kudos
pedkha1
Participant
‎2019-10-24 10:20 AM
In response to PhoneBoy
Jump to solution

thanks and great

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events