Re: How to modify urlf cache size on smb 1490 loca...

LuisSP · ‎2020-07-08

Hello everybody.

Users report that websites that they usually use during the day, from time to time a block appears because the WEB BROWSING category is not allowed, but after a few seconds it allows them to navigate to the requested site.

Same case for non-allowed sites, it seems like a blocking by WEB BROWSINNG not allowed, and then the block appears for the most specific category in which the site is belong it.

I think that is a problem with cache URLF, I read SK90422 How to modify URL Filtering cache size?, in such document refer that cache size its 20,000, but if I running at my FW...

watch -n 20 fw tab -t urlf_cache_tbl -s

I find cache size its 2,000, reseting every 70minutes approximatly. So I wish to increase cache size...but how I can do it?

If you think issue is raised by other factor, I'm open to listen recommendations.

Thanks.

G_W_Albrecht · ‎2020-07-09

The SK90422 is not valid for GAiA Embedded, and when you read: The URL Filtering cache limit default value is 20 000, which is usually enough for a Security Gateway holding 1000 users, you will know that this is could not be valid for 1490 SMB GWs 😉

So i would suggest to contact TAC !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

LuisSP · ‎2020-07-09

Ok, Thanks for the reply and constructive criticism. I'm going with the TAC

HristoGrigorov · ‎2020-07-09

How many users do you have behind the gateway ? I am not sure increasing table size will solve the problem. 20K is quite a lot already and there must be another reasons for the table to be overflowed.

LuisSP · ‎2020-07-09

Hi Hristo. My FW don't reach 20K, only until 2K. Because covid pandemic, there are no much people, a few 10 I guess, however, there are many device working, I think 30 devices (servers, desktops, IoT), and frequently user open many browser tabs at same time, opening more websites.

Do you think that above numbers is not very much to require change cache size?

HristoGrigorov · ‎2020-07-09

A little known fact is that URL categorization happens in CheckPoint Cloud. If that is a slow process (for whatever reason) you may start experiencing what you do - URLs are initially blocked because they cannot be categorized on time. When centrally managed there is a way to configure URL inspection to happen in background allowing connections while categorization completes. Don't know if that is possible when appliance is locally managed.

When cache is full it shall auto-clear itself. I really don't think problem is in the cache table itself and increasing its size will only postpone the problem by some time.

G_W_Albrecht · ‎2020-07-10

In fact, locally managed SMB appliances have a couple of Advanced Settings to configure URLF (setting /type/default/details):

Application Control and URL Filtering - Block when service is unavailable

bool

false

Block web requests traffic when the Check Point categorization and widget definitions online web service is unavailable

Application Control and URL Filtering - Categorize cached and translated pages

bool

true

Perform URL categorization of cached pages and translated pages created by search engines

Application Control and URL Filtering - Custom App over HTTPS

bool

false

Indicates whether custom URLs and applications will be matched over HTTPS traffic using SNI field. Important note: as SNI field in HTTPS traffic is browser-dependent and promiscuous, it does not guarantee 100% match.

Application Control and URL Filtering - Encrypt RAD Communication

bool

false

Indicates if the communication with the RAD cloud is encrypted

Application Control and URL Filtering - Enforce safe search

bool

false

Force filtering explicit content in search engines results

Application Control and URL Filtering - Fail Mode

options

Block all requests

Indicates the action to take on traffic in case of an internal system error or overload

Application Control and URL Filtering - Inspect VPN traffic

bool

false

Indicates whether Outgoing Policy Inspects VPN traffic when Application Control is enabled

Application Control and URL Filtering - Track browse time

bool

true

Indicates if the total time that users are connected to different sites and applications in an HTTP session will be shown in relevant logs

Application Control and URL Filtering - Use HTTP referer header

bool

true

Indicates if the HTTP referer header is used by the inspection engine to improve application identification

Application Control and URL Filtering - Web site categorization mode

options

Background

Indicates the categorization mode: Background - requests are allowed until categorization is complete, Hold - requests are blocked until categorization is complete

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

LuisSP · ‎2020-07-14

I know some of this settings. By the way, Application Control and URL Filtering - Custom App over HTTPS was useless to deal with SNI certificates cloudflare(subject=sni.cloudflaressl.com), however, in thie same window setting comment that such setting can o not can work.

How do you deal with sni certificates? I did this question here in checkmates time ago, recommendations I received was to upgrade to R80.X (new appliance) or bypass https insppection by destination ip address.

LuisSP · ‎2020-07-14

I've url inspection in backgroud. Furthermore, recently I did monitor urlf_cache by order

[Expert@gwradsys]# fw tab -t urlf_cache_tbl -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost urlf_cache_tbl 197 1553 0 0

When VALS reach 2000, cache is empty. But VALS decrease too in some circunstances because TTL of website registered on such table. So, I wish to enlarge such table to a value less probable to reach limit of VALS, or at less frequently.

I did contact TAC. Later will share results.

Thanks

Are you a member of CheckMates?

How to modify urlf cache size on smb 1490 locally managed?