This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AmitS
Explorer
yesterday

Spark 1900 URL & APP filtering issue

Hi Team,

We have a 1900 spark appliance in Cluster version R81.10.10.

Requirement is to have APP & URL Blocking based on the predefined categories (e.g Shopping, FTP, Social, Media etc) with out HTTPS inspection as customer cannot install the certificates on endpoint and/or mobile devices.

We have tested to use HTTPS categorization but its not working as expected, few sites are getting blocked and some are working, hence not achieving the desired solution.

but when HTTPS inspection is configured all is working properly, the categories which are blocked in rule are not working which is desired.

Is there any other way to achieve this???

 

0 Kudos
8 Replies
G_W_Albrecht
Legend Legend
Legend
yesterday

I would first install the current version R81.10.15 Build 996003913 and after testing, open SR# with CP TAC to get this resolved.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
yesterday

Do you have an explicit rule blocking QUIC in your rulebase?
QUIC traffic will not be categorized by HTTPS Categorization.
By blocking QUIC, the client web browsers should fall back to HTTP/1.1, for which traffic can be categorized correctly.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
yesterday
In response to PhoneBoy

Yes, QUIC - but recently with 1600, blocking QUIC on GW did not help, so customer had to disable it for browsers using GPO.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
AmitS
Explorer
yesterday
In response to PhoneBoy

Yes, we have explicit rule to block QUIC. Still categorisation is not working.

Any alternate solution?

0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to AmitS

HTTPS Categorization uses one two things to categorize websites for HTTP/HTTPS connections (QUIC connections aren't supported for HTTPS Categorization):

  • The DN of the site certificate (which is always unencrypted, but may not reflect the actual site being accessed)
  • The unencrypted SNI of the HTTPS connection. If the SNI is encrypted, there is no way to see the SNI short of full HTTPS Inspection, thus not possible to categorize the connection.

Specific examples of websites that should be being blocked but aren't might be helpful.

0 Kudos
AmitS
Explorer
yesterday
In response to PhoneBoy

Categories example such as gambling, Shopping, Media, Youtube.

Amazon.in

flipkart.com

888.com

velonyx.live

and many more

 

0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to AmitS

To see if the problem is Encrypted SNI, you will have to take a packet capture when the client initiates a connection to this site.
If it's Encrypted SNI, the only solution to that is HTTPS Inspection.
If the SNI is not encrypted and it's not working, then I suggest a TAC case.

0 Kudos
AmitS
Explorer
yesterday
In response to PhoneBoy

Hi Team,

Customer is having other Firewall as well such as Palo alto & sonicwall & same thing is working there without SSL/HTTPS inspections..

So here in Checkpoint its not working without Https inspections...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events