This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Zee
Contributor
3 weeks ago

URL Filtering Issue via VPN

Hi, 
I was testing Web/URL Filter on test firewall but the response is very random in terms of website getting blocked. I am not using Https inspection for now as I wanted to make a use case without enabling Https inspection and if it can get the job done, then it will save a lot of hassle. Currently, I am testing in a setup where my test machine is connected to production firewall and traffic is routed via VPN to my test firewall where I am currently testing. I have used almost all regex syntax that I could find and I can see dropped packets but the website still gives a random response i.e. it gets blocked but it works as well randomly. This is the session which is accepting the traffic with akamai destination but test website shows some blocked sessions. Let me know if I can find related issue resolution before further troubleshooting as I am new to checkpoint and still exploring. I think VPN decryption is overriding  HTTPS inspection behavior but I am a bit confused about the solution.
One side note, if I use pre configured checkpoint applications like Facebook, I dont see this issue but when I block some https website for example nayatel.com or yahoo.com, I see these VPN decrypted packets in logs and yahoo does not blocked and ignored the  configured rule for it. My test firewall is R81.10 Jumbo Hotfix Take 130 as it was not being used previously for testing.  I am basically confused about attached packet and want to take advice if this is what causing the issue or it could be something else. Thank You.

Preview file
26 KB
0 Kudos
18 Replies
Chris_Atkinson
Employee Employee
Employee
3 weeks ago

I would upgrade to at least JHF T150 to conduct any meaningful testing, please refer:

https://support.checkpoint.com/results/sk/sk182318

CCSM R77/R80/ELITE
0 Kudos
Zee
Contributor
3 weeks ago
In response to Chris_Atkinson

Yes, I am going to upgrade it to T174 today and will test again, but just wanted to ask if its a known query or not in the meanwhile.

0 Kudos
Zee
Contributor
3 weeks ago
In response to Zee

Apparently, upgradation has resolved the issue but I will test it for sometime. I would still love to know the root cause of this for my own learning, if possible. Moreover, is there any way to show a block page without enabling HTTPs inspection. As I am thinking of a substitute of Cisco Umbrella DNS security, so I am asking this in that context. Thank You.

https://community.checkpoint.com/t5/General-Topics/Check-Point-vs-Cisco-Umbrella/m-p/250374#M41852

Timothy_Hall
Legend Legend
Legend
3 weeks ago
In response to Zee

"Categorize HTTPS Sites" has very limited capabilities in lieu of full HTTPS Inspection.  Filtering may not always be accurate as all it has to work with is the SNI prior to encryption.  There are many ways around this which explains why randomly some sites are blocked and others aren't, and unless you turn on full HTTPS Inspection UserChecks simply cannot work as the browser will block them as a downgrade redirection attack from HTTPS to HTTP.  This is proper behavior by the browser, and a classic attack vector even though we "the good guys" are trying to display a UserCheck.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices
Self-Guided Video Series Coming Soon
0 Kudos
Zee
Contributor
3 weeks ago
In response to Timothy_Hall

Acknowledged.  Can you direct me to some benchmark or tradeoff regarding the CPU/RAM/memory comparison if I enable Https inspection as I am not sure how much it will impact the firewall performance interms of that

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to Zee

I dont believe there is any way to show block page without ssl inspection on. if you think about, in simple terms, without inspection enabled, there is nothing for firewall to intercept, if you will, so all users would see if message "page cant be displayed" or page is reset, something along those lines.

Andy

0 Kudos
Zee
Contributor
3 weeks ago
In response to the_rock

Yes, I understand. Its just this is what I have to work around somehow as I have to enable Https Inspection and install the certificate on every client as Cisco is currently doing that and its cisco secure client is already across whole environment.

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to Zee

If you enable https inspection, then it will work as intended, 100%.

Andy

0 Kudos
Zee
Contributor
3 weeks ago
In response to the_rock

Ack but the hinderance is the installation of certificate on all clients. 🙂

But I agree with you.

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to Zee

I get it. I would say GPO is probably answer to that 🙂

Andy

0 Kudos
Zee
Contributor
3 weeks ago
In response to the_rock

I do not have a lot of expertise on that, I would probably have to take other guys and management in loop 😛

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to Zee

Fair enough 🙂

See if post I made about this last year helps. Maybe you can test this on few machines and see if it works.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-tip/m-p/219139

0 Kudos
(1)
Zee
Contributor
3 weeks ago
In response to the_rock

Such a great read. Thanks 🙂

 

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to Zee

Hope it helps.

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to Zee

Btw, if you need me to test anything, happy to do it. Working on harmony sase stuff today, but I can definitely check this, not an issue. I have fully working R81.20 and R82 ssl inspection labs running.

Andy

0 Kudos
(1)
Zee
Contributor
3 weeks ago
In response to the_rock

That is great. I would definitely ping you, if I need your help. Thank you so much :). But yes, if you can guide me about the performance comparison with and without Https inspection, that would be great because what I have observed and read is checkpoint can do almost everything which cisco umbrella is doing (expect DNS server) in terms of security, the only hinderance in making up mind for further testing and proceeding with it is performance factor in terms of load and certificates.

0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago

Are you also EXPLICITLY blocking QUIC traffic?
Web browsers use this by default where the server supports it and we cannot perform web filtering on it until R82.
Also, the reports from customers suggest R82 is better at identifying sites without HTTPS Inspection than prior releases.

0 Kudos
Zee
Contributor
3 weeks ago
In response to PhoneBoy

Hi, No I did not block QUIC traffic explicitly. but after JHF upgrade it somehow fixed it for now. I just wanted to learn for my understanding that why it was happing and why there were attached sessions.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events