cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Are custom sites (url) supposed to work with "Categorize HTTPS websites"?

As full HTTPS inspection was introducing too many issues for us, we decided to go with "Categorize HTTPS websites" setting enabled in Application Inspection settings.

However, we would still like to match custom URLs for http and https service by using "Custom site" objects in the policy.

We did some tests and the results are not very consistent, we have the following behavior:

- works correctly, policy matches, https traffic is allowed

- works only on the second https access to same site, the first one is blocked (no match)

- not working at all because the https site is using a certificate signed by their own CA (eg. RedHat subscription network)

So we were ending up using domain objects, although I would have preferred custom url because of possible wildcard/regex.

So my questions would be:

  • As for https the url will not be available from the tcp stream without full https inspection, will the Gateway do a match to the website's certificate CN? Is it supposed to work this way?
  • Is it also supposed to work with wildcard certficates used, eg. a certificate with cn "*.domain.com"?
  • What can be done if the https site in question is using a certificate signed by it's own ca? Is there a way to import a trusted ca not only for full https inspection, but also for this kind of certificate inspection?
5 Replies

Re: Are custom sites (url) supposed to work with "Categorize HTTPS websites"?

Hi, reply to myself:

I found this interesting post, pointing out some the issues I've also found:

URL filtering without HTTPs inspection 

I would really like to see subjectAltName property  implemented in URL filtering!

Employee+
Employee+

Re: Are custom sites (url) supposed to work with "Categorize HTTPS websites"?

Hi,

We created HF for supporting SNI with 'categorize https sites' on top of R80.10 GW version.

Please contact me directly if this is interesting you (meitalna@checkpoint.com).

Thanks,

Meital

Re: Are custom sites (url) supposed to work with "Categorize HTTPS websites"?

Hello do you need any special configuration for that HF to work??

0 Kudos
Employee+
Employee+

Re: Are custom sites (url) supposed to work with "Categorize HTTPS websites"?

Hi,

The HF exists on top of R80.10 JHF T70.

Please contact me directly if you want to install it.

meitalna@checkpoint.com

Thanks,

Meital

0 Kudos
Employee+
Employee+

Re: Are custom sites (url) supposed to work with "Categorize HTTPS websites"?

Hi,

In categorize https sites we use the DN from the certificate in order to match the traffic.

 It should also work with custom urls and wild cards.

If the 'first connection' is not behaving like the next connections, check your categorization mode settings - you might want to change from background to hold.

we are not doing certificate inspection, but we are planning to support SNI categorization (we already have HF on top of R80.10 that support SNI).

If this might help you please contact me directly - meitalna@checkpoint.com.

Thanks,

Meital

0 Kudos