This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pedro_Espindola
Advisor
‎2017-07-31 09:34 AM

Application control matches only Web Browsing

Hello everyone,

I've done a migration from R80 to R80.10 and now I only see "Web Browsing" application in App Control logs:

Application control logs

All access is caught by URL filtering, but only the blocks match to their specific rules. A rule which allows facebook gets no hits, yet all facebook traffic matches the clean up any - any - any - allow:

URL filtering logs

Here is an example of app control log:

App Control example

The gateway is an SMB 1470 appliance running R77.20.60.

There are separate layers for Network and Application rules as required for R77. All logging is set to extended.

Is this a gateway limitation or a configuration issue?

0 Kudos
10 Replies
aner_sagi
Contributor
‎2017-07-31 02:04 PM

HTTPS inspection enabled ? 

0 Kudos
Pedro_Espindola
Advisor
‎2017-08-01 06:55 AM
In response to aner_sagi

Yes! But I get the same result for inspected and bypassed traffic.

The policy in R80.10 is the same as it was in R80, when it worked fine.

0 Kudos
Federico_Meine1
Participant
‎2017-07-31 03:26 PM

Totally agree with Aner.

I had a similar issue in the past with anonymizers, we could identify Tor traffic but couldn't apply any policies to it without HTTPS inspection.

0 Kudos
Pedro_Espindola
Advisor
‎2017-08-01 06:58 AM
In response to Federico_Meine1

So you solved the issue by enabling HTTPS inspection?

0 Kudos
Federico_Meine1
Participant
‎2017-08-01 07:37 AM
In response to Pedro_Espindola

I didn't had the experience with Facebook/Twitter, by enabling HTTPS we could block Tor traffic via AppControl/URL Filtering. Try it in a lab enviroment first.

Also keep in mind that HTTPS Inspection is highly resource demanding in the gateway side. If you have your network segmented is best to implement it by phases by adding exceptions and see the impact in CPU/Memory.

Pedro_Espindola
Advisor
‎2017-08-01 08:23 AM
In response to Federico_Meine1

HTTPS is already enabled and blocking https malware, I tested it. I tried disabling it and got the exact same result. It is back on.

It has been enabled and working beautifully with central management since R77.30 + Addon and then R80.

I've noticed some differences when upgrading to R80.10.

  • In R80, when some scope (network or host) was not explicitly defined for inspection or bypass in the https inspection rulebase it was NOT inspected.
  • After upgrading to R80.10, I had to explicitly set the bypass for those networks or they would be inspected.

I have not found documentation that explains the differences.

Most of the network IS inspected, including the machine I am using to test, obviously.

CPU/Memory is not an issue. The number of users and throughput is much lower than supported by the appliance. Memory is usually at 40% at most. CPU is usually at 10%.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-08-01 08:26 PM

Make sure you have logging configured as described in this thread: https://community.checkpoint.com/message/6785-rules-with-any-applicationservice-not-logging-applicat...

Pedro_Espindola
Advisor
‎2017-08-02 06:34 AM
In response to PhoneBoy

Thank you for your reply, Dameon. I was the one that asked that other question. The logging mode is set for extended. In that one the issue was a R80.10 gateway. Now it is a preR80 1470, which doesn't have multiple logging modes.

The problem here is a little different, it is not just the logs, it seems. Application Control is not matching the applications correctly and all allowed traffic is processed at the Clean Up. URL filtering is correctly matching most of the blocked sites at the correct rule, except for "High Risk Applications", which are being allowed as "Web browsing". Look at the screenshot below. Facebook traffic doesn't match this rule and is allowed at the last rule.

Maybe this question should be moved to another category.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-08-02 07:23 AM
In response to Pedro_Espindola

Can you post a screenshot of the rule that it should match?

Also if you haven't already, I would start a case with the Check Point TAC.

0 Kudos
Pedro_Espindola
Advisor
‎2017-08-03 10:52 AM

Turns out, the good old REBOOT solved the problem...

Unfortunately we won't know what caused it.

Thank you all for the help, guys.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events