Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
charcris
Participant

Incorrect categorization of url filtering when use Google Crhome

Hello and good morning

I have some problems with smb 1490 

I don't know if anyone had the same problem or if it's a limitation of SMB 1400

When clients use the google chrome web browser for some web pages, checkpoint cant categorized correctly by checkpoint

chrome.block.png

Yes I have a rule that blocks all traffic that cannot be classified, but the problem is the  incorrect categorization.

note : this happen in all  SMB appliances(1400).

On the other hand, when the client uses firefox explorer in the same pages, these are correctly categorized after this if the client uses the google chrome explorer, again it is already correctly categorized by checkpoint.

 

firefox.png

 

logssmart.png

categorizacion.png


  to take into account that 

1.- I don't have https inspection (resources problems) activated.
  But I understand that it complies with Categorize HTTPS Websites via Certificate Checking.
2.- the session is performed by the TLS1.2v on the clients.
3.- The SNI and the CN have the same name as the domain of the web page

 

TLS.SNI.png

 

CN.png

4.- Google chrome and firefox  are updated (also try old versions with the same result).
5.- The smb is centrally administered

6.- the management and the smb is update.

SMB 1400 R77.20.87 (990173004).   Management R80.30 JH take 191

7.- Trusted Ca and blacklist is update .

Please if someone has any clue or knows what could be happening? or if a limitation of smb

Thanks for the help.

0 Kudos
13 Replies
PhoneBoy
Admin
Admin

Are you blocking QUIC?

Just to note: we do not look at SNI at all on that SMB code release.
That capability was only added to R80.20.05, which is not available for the 1490 (but is on the newer 1500 series).
However, when I went to that site, the CN of the certificate looks correct, so we should see it.
charcris
Participant

Hello  and ty for the help PhoneBoy

Are you blocking QUIC?

Yes te quic protocol is blooqued by the firewall and i try to block in the client too , but with the the same results .

 

QUIC.png

 

 

0 Kudos
HristoGrigorov

Try to set in SmartConsole, Manage & Settings -> Blades -> APPCL & URLF -> CheckPoint online web service -> Web categorization mode to "Hold" and see if that makes any difference in observed behavior.

0 Kudos
charcris
Participant

mm yes right now the mode of web categorization is in hold , but the problem persist , ty for the help HristoGrigorov(you can see it in the 4° photo).
0 Kudos
HristoGrigorov

URL categorization is made in CheckPoint Cloud not on device itself. I think if for some reason it fails to do that it will threat it as uncategorized. 

0 Kudos
charcris
Participant

Yes, but when the client uses firefox as a browser, it seems that checkpoint can correctly categorize it.
so it is a bit strange that with firefox checkpoint can categorize it.
0 Kudos
HristoGrigorov

Agree. It is worth involving TAC here. 

0 Kudos
charcris
Participant

yes the tac is involved , but at the moment couldn't be determine what it could be, so I open this case in the community to find out if anyone may have had the same problem.
Any help is appreciated
0 Kudos
HristoGrigorov

May be sniff the traffic between Firefox and SMB and then between Chrome and SMB and compare it. Pay special attention to HTTP headers and what browser sends as requested URL. 

mconlogue
Explorer

Any progress with this?  We are seeing the same thing

0 Kudos
George_Casper
Contributor

We're running into the same thing with several sites (running on 15400 appliances R80.40) which started up a few days ago, we do block uncategorized sites.   I haven't had time to sift through the logs on all the sites but several of them appear to be hosted on AWS.   Even www.amazon.com shopping site which we permit gets blocked when it reaches the uncategorized AWS hosts.   

Wonder if AWS added a new IP subnet that Checkpoint hasn't categorized yet?

 

0 Kudos
K_montalvo
Advisor

Hello @charcris 

Since when you're experiencing the issue?

Have you been able to access any of those websites before?

Have you tried to access the website via IP like this: https://185.76.64.164:443

Also can you tried to disable enforce safe search > install policy > clear cookies/cache on browser or open a private tab and share the results.

Hablo español cualquier cosa amigo!

Thanks!

 

 

Thanks

0 Kudos
israelfds95
Explorer

After a lot of days of researchs I found a solution for this without enable HTTPS Inspection. 

- On Network Layer - create a Drop rule for UDP 443 QUIC

- On App control & URL Filtering layer - create a DROP rule for desired categories like Pornografy, Sex, Nudity ...

- And the final key for firewall Drop correctly the sites on this categories for Google Chrome create a object New Override Categorization - and set a Risk High or Critical, after that the firewall will Drop with more criteria and priority all sites classified on this categories that you create a New Override Categorization object. Set one site just to save the object, but important thing here will be the risk 

From the Objects tab of SmartConsole, select New > More > Custom Application/Site > Override Categorization

Before applied this configuration a lot of porn sites oppening just on the Google Chrome, and on this customer don't was possible enable HTTPS Inspection, with this configurations was possible drop everything just with URL Filtering. 


New-override-categorization.jpg

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events