Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Employee+
Employee+

Understanding url filtering app control on https sites...

Jump to solution

Trying to understand some behavior:  we have an access control rule that blocks uncategorized sites.  Below site is visited and access to it is blocked as uncategorized, it is an https site and yet is categorized as business/economy.   The destination is visible via the logs as seen below, yet eventhough the destination is recognized, URL filtering still says it is uncategorized.  I'm assuming this is because it is https and the IP address only is scrutinized but just wanted to understand why, if the destination is visible, it isn't categorized as such.

 

second.JPGfirst flag.JPG

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Employee+
Employee+

Hi Troy,

In your example below the domain you see in the log is by reverse lookup of the destination IP. It is not used for URL categorization.

For SSL traffic SNI (R80.30 and higher)/Certificate CN is used for URL categorization (in case HTTPS Categorization is enabled and SSL inspection is disabled).

We have tested this in our labs and traffic to oati.com is categorized as Buisness/Economy.

I suggest you retest it. If still an issue please open a ticket to support.

*The only scenario I can think of where we will not categorize according to SNI/CN is when certificate is invalid (or SNI is not part of certificate SAN).

Thanks,

Tal

 

View solution in original post

0 Kudos
6 Replies
Highlighted
Iron
checkpoint may not categorized some encrypted HTTPS traffic ... try to tick this In Application & Url Filtering Settings under Url Filtering -> Categorize HTTPS websites. else I think you need to enable HTTPS inspection for outbound,,
0 Kudos
Highlighted
Employee+
Employee+

Thanks, I do have the categorize https sites check box enabled.  Just wondering why the destination URL is identified in the logs, the site is categorized by CHKPT, yet it is still marked 'uncategorized'.

0 Kudos
Highlighted
Iron

For me the last resort would be activating HTTPS inspection for Outbound. 

HTTPS traffic was encrypted and  Checkpoint was unable to categorized the sites because of it .

If https inspection is active with URL and App blade, I am sure it will have an effect on URL categorization. . 

 

0 Kudos
Highlighted
Admin
Admin
Did you check that the gateway can reach the Check Point cloud?
sk83520 and/or https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/sk83520-how-to-check-connectivity...
0 Kudos
Highlighted
Employee+
Employee+

Hi Troy,

In your example below the domain you see in the log is by reverse lookup of the destination IP. It is not used for URL categorization.

For SSL traffic SNI (R80.30 and higher)/Certificate CN is used for URL categorization (in case HTTPS Categorization is enabled and SSL inspection is disabled).

We have tested this in our labs and traffic to oati.com is categorized as Buisness/Economy.

I suggest you retest it. If still an issue please open a ticket to support.

*The only scenario I can think of where we will not categorize according to SNI/CN is when certificate is invalid (or SNI is not part of certificate SAN).

Thanks,

Tal

 

View solution in original post

0 Kudos
Employee+
Employee+

Note:  it was explained to me that the www.ciso.oati.com that shows up in the destination field is the result of a rdns query and we don't base categorization off that naturally, hence the 'uncategorized' categorization from URLF/App Control

0 Kudos