Application control matches only Web Browsing

Pedro_Espindola · ‎2017-07-31

Hello everyone,

I've done a migration from R80 to R80.10 and now I only see "Web Browsing" application in App Control logs:

All access is caught by URL filtering, but only the blocks match to their specific rules. A rule which allows facebook gets no hits, yet all facebook traffic matches the clean up any - any - any - allow:

Here is an example of app control log:

The gateway is an SMB 1470 appliance running R77.20.60.

There are separate layers for Network and Application rules as required for R77. All logging is set to extended.

Is this a gateway limitation or a configuration issue?

aner_sagi · ‎2017-07-31

HTTPS inspection enabled ?

Pedro_Espindola · ‎2017-08-01

Yes! But I get the same result for inspected and bypassed traffic.

The policy in R80.10 is the same as it was in R80, when it worked fine.

Federico_Meine1 · ‎2017-07-31

Totally agree with Aner.

I had a similar issue in the past with anonymizers, we could identify Tor traffic but couldn't apply any policies to it without HTTPS inspection.

Pedro_Espindola · ‎2017-08-01

So you solved the issue by enabling HTTPS inspection?

Federico_Meine1 · ‎2017-08-01

I didn't had the experience with Facebook/Twitter, by enabling HTTPS we could block Tor traffic via AppControl/URL Filtering. Try it in a lab enviroment first.

Also keep in mind that HTTPS Inspection is highly resource demanding in the gateway side. If you have your network segmented is best to implement it by phases by adding exceptions and see the impact in CPU/Memory.

Pedro_Espindola · ‎2017-08-01

HTTPS is already enabled and blocking https malware, I tested it. I tried disabling it and got the exact same result. It is back on.

It has been enabled and working beautifully with central management since R77.30 + Addon and then R80.

I've noticed some differences when upgrading to R80.10.

In R80, when some scope (network or host) was not explicitly defined for inspection or bypass in the https inspection rulebase it was NOT inspected.
After upgrading to R80.10, I had to explicitly set the bypass for those networks or they would be inspected.

I have not found documentation that explains the differences.

Most of the network IS inspected, including the machine I am using to test, obviously.

CPU/Memory is not an issue. The number of users and throughput is much lower than supported by the appliance. Memory is usually at 40% at most. CPU is usually at 10%.

PhoneBoy · ‎2017-08-01

Make sure you have logging configured as described in this thread: https://community.checkpoint.com/message/6785-rules-with-any-applicationservice-not-logging-applicat...‌

Pedro_Espindola · ‎2017-08-02

Thank you for your reply, Dameon. I was the one that asked that other question. The logging mode is set for extended. In that one the issue was a R80.10 gateway. Now it is a preR80 1470, which doesn't have multiple logging modes.

The problem here is a little different, it is not just the logs, it seems. Application Control is not matching the applications correctly and all allowed traffic is processed at the Clean Up. URL filtering is correctly matching most of the blocked sites at the correct rule, except for "High Risk Applications", which are being allowed as "Web browsing". Look at the screenshot below. Facebook traffic doesn't match this rule and is allowed at the last rule.

Maybe this question should be moved to another category.

PhoneBoy · ‎2017-08-02

Can you post a screenshot of the rule that it should match?

Also if you haven't already, I would start a case with the Check Point TAC.

Pedro_Espindola · ‎2017-08-03

Turns out, the good old REBOOT solved the problem...

Unfortunately we won't know what caused it.

Thank you all for the help, guys.

Are you a member of CheckMates?

Application control matches only Web Browsing