This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AmitS
Explorer
‎2025-02-20 12:11 AM

Spark 1900 URL & APP filtering issue

Hi Team,

We have a 1900 spark appliance in Cluster version R81.10.10.

Requirement is to have APP & URL Blocking based on the predefined categories (e.g Shopping, FTP, Social, Media etc) with out HTTPS inspection as customer cannot install the certificates on endpoint and/or mobile devices.

We have tested to use HTTPS categorization but its not working as expected, few sites are getting blocked and some are working, hence not achieving the desired solution.

but when HTTPS inspection is configured all is working properly, the categories which are blocked in rule are not working which is desired.

Is there any other way to achieve this???

 

0 Kudos
14 Replies
G_W_Albrecht
Legend Legend
Legend
‎2025-02-20 12:31 AM

I would first install the current version R81.10.15 Build 996003913 and after testing, open SR# with CP TAC to get this resolved.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-20 05:13 AM

Do you have an explicit rule blocking QUIC in your rulebase?
QUIC traffic will not be categorized by HTTPS Categorization.
By blocking QUIC, the client web browsers should fall back to HTTP/1.1, for which traffic can be categorized correctly.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2025-02-20 05:20 AM
In response to PhoneBoy

Yes, QUIC - but recently with 1600, blocking QUIC on GW did not help, so customer had to disable it for browsers using GPO.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
AmitS
Explorer
‎2025-02-20 07:06 AM
In response to PhoneBoy

Yes, we have explicit rule to block QUIC. Still categorisation is not working.

Any alternate solution?

0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-20 08:20 AM
In response to AmitS

HTTPS Categorization uses one two things to categorize websites for HTTP/HTTPS connections (QUIC connections aren't supported for HTTPS Categorization):

  • The DN of the site certificate (which is always unencrypted, but may not reflect the actual site being accessed)
  • The unencrypted SNI of the HTTPS connection. If the SNI is encrypted, there is no way to see the SNI short of full HTTPS Inspection, thus not possible to categorize the connection.

Specific examples of websites that should be being blocked but aren't might be helpful.

0 Kudos
AmitS
Explorer
‎2025-02-20 09:57 AM
In response to PhoneBoy

Categories example such as gambling, Shopping, Media, Youtube.

Amazon.in

flipkart.com

888.com

velonyx.live

and many more

 

0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-20 11:55 AM
In response to AmitS

To see if the problem is Encrypted SNI, you will have to take a packet capture when the client initiates a connection to this site.
If it's Encrypted SNI, the only solution to that is HTTPS Inspection.
If the SNI is not encrypted and it's not working, then I suggest a TAC case.

0 Kudos
AmitS
Explorer
‎2025-02-20 09:31 PM
In response to PhoneBoy

Hi Team,

Customer is having other Firewall as well such as Palo alto & sonicwall & same thing is working there without SSL/HTTPS inspections..

So here in Checkpoint its not working without Https inspections...

0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-21 01:42 PM
In response to AmitS

A TAC case will be necessary to investigate this issue further.

0 Kudos
Amir_Erman
Employee
Employee
‎2025-02-22 04:11 AM
In response to PhoneBoy

To accelerate the analysis - I would try Quantum centrally managed, SPARK centrally managed as well

(For simplicity VM version can be used. It will allow us to pinpoint where the problem is. 

 

 

0 Kudos
AmitS
Explorer
Tuesday
In response to Amir_Erman

We have tried testing with Quantum centrally managed full Gaia in LAB (VM based) & there categorization is working properly, blocking is working as expected based on categories configured in rule.

But the same is not working with 1900 spark appliances with Local Management.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
Tuesday
In response to AmitS

Can you confirm the browsers are configured the same in each test scenario, this site will be useful here:

https://www.cloudflare.com/ssl/encrypted-sni/#results

CCSM R77/R80/ELITE
0 Kudos
AmitS
Explorer
Tuesday
In response to PhoneBoy

TAC is already raised but still not proper solution.

0 Kudos
AmitS
Explorer
Tuesday
In response to PhoneBoy

I had taken captures on Firewall, there was no encrypted SNI.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top