Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

Incorrect categorization of url filtering when use Google Crhome

Hello and good morning

I have some problems with smb 1490 

I don't know if anyone had the same problem or if it's a limitation of SMB 1400

When clients use the google chrome web browser for some web pages, checkpoint cant categorized correctly by checkpoint

chrome.block.png

Yes I have a rule that blocks all traffic that cannot be classified, but the problem is the  incorrect categorization.

note : this happen in all  SMB appliances(1400).

On the other hand, when the client uses firefox explorer in the same pages, these are correctly categorized after this if the client uses the google chrome explorer, again it is already correctly categorized by checkpoint.

 

firefox.png

 

logssmart.png

categorizacion.png


  to take into account that 

1.- I don't have https inspection (resources problems) activated.
  But I understand that it complies with Categorize HTTPS Websites via Certificate Checking.
2.- the session is performed by the TLS1.2v on the clients.
3.- The SNI and the CN have the same name as the domain of the web page

 

TLS.SNI.png

 

CN.png

4.- Google chrome and firefox  are updated (also try old versions with the same result).
5.- The smb is centrally administered

6.- the management and the smb is update.

SMB 1400 R77.20.87 (990173004).   Management R80.30 JH take 191

7.- Trusted Ca and blacklist is update .

Please if someone has any clue or knows what could be happening? or if a limitation of smb

Thanks for the help.

0 Kudos
9 Replies
Highlighted
Admin
Admin

Are you blocking QUIC?

Just to note: we do not look at SNI at all on that SMB code release.
That capability was only added to R80.20.05, which is not available for the 1490 (but is on the newer 1500 series).
However, when I went to that site, the CN of the certificate looks correct, so we should see it.
Participant

Hello  and ty for the help PhoneBoy

Are you blocking QUIC?

Yes te quic protocol is blooqued by the firewall and i try to block in the client too , but with the the same results .

 

QUIC.png

 

 

0 Kudos
Highlighted

Try to set in SmartConsole, Manage & Settings -> Blades -> APPCL & URLF -> CheckPoint online web service -> Web categorization mode to "Hold" and see if that makes any difference in observed behavior.

0 Kudos
Highlighted
Participant

mm yes right now the mode of web categorization is in hold , but the problem persist , ty for the help HristoGrigorov(you can see it in the 4° photo).
0 Kudos
Highlighted

URL categorization is made in CheckPoint Cloud not on device itself. I think if for some reason it fails to do that it will threat it as uncategorized. 

0 Kudos
Highlighted
Participant

Yes, but when the client uses firefox as a browser, it seems that checkpoint can correctly categorize it.
so it is a bit strange that with firefox checkpoint can categorize it.
0 Kudos
Highlighted

Agree. It is worth involving TAC here. 

0 Kudos
Highlighted
Participant

yes the tac is involved , but at the moment couldn't be determine what it could be, so I open this case in the community to find out if anyone may have had the same problem.
Any help is appreciated
0 Kudos
Highlighted

May be sniff the traffic between Firefox and SMB and then between Chrome and SMB and compare it. Pay special attention to HTTP headers and what browser sends as requested URL.