This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
wanartisan
Contributor
‎2025-07-20 06:11 AM

AppControl/URLF - Rules and classification

Hi all,

Scenario: 

  1. Smart-1 Cloud (R82)
  2. Cloudguard Network Security (R81.20) HA (Azure)
  3. Perimeter fw in Hub VNET. 
  4. URLF and AppControl blades enabled
  5. And enabled in the policy
  6. Inline layers configured for web browsing (any traffic; common web ports)
  7. I have enabled categorise HTTPS traffic by SNI 

I have been turning on URLF and AppControl and doing some testing on it. I created a very simple policy using inline layers

  • sub-layer 1: Allow categories Very Low Risk, Low Risk, Medium Risk
  • sub-layer 2: Block categories High Risk, Critical Risk, Unknown Risk
  • sub-layer 3: Clean-up.

We found a High Risk (4) application in the logs but it is being allowed by the sub-layer 1 despite being a High Risk application. 

The application definition says you need to apply HTTPS Inspection but the it is being properly categorised without HTTPS Inspection being applied yet is being caught by sub-layer 1. 

Is this expected behaviour? Any other thoughts on how to resolve this?

I want to keep HTTPS Inspection to a minimum. 

0 Kudos
5 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-07-20 07:08 AM

Categorisation set for background or hold?

Are you able to share the example application?

R81.20 Jumbo T65 or higher?

Is QUIC traffic blocked in the environment?

CCSM R77/R80/ELITE
0 Kudos
wanartisan
Contributor
‎2025-07-21 12:42 AM
In response to Chris_Atkinson

Hi Chris,

We're on Take 98 and QUIC is blocked.

I think I have found the reason for the Allow in the Matched Rules part of the log - it is classed as Medium risk. So why is a High risk app matching as Medium?  

I can attached the sub-layers and log output. 

Preview file
18 KB
Preview file
41 KB
Preview file
9 KB
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-07-21 06:18 AM
In response to wanartisan

If the issue is reproducible I would suggest reviewing further with TAC.

Note for awareness Take 99 lists the following:

PRJ-56812 - Application Control - An application may not be matched to an Application Control rule.

CCSM R77/R80/ELITE
wanartisan
Contributor
‎2025-07-21 10:01 AM
In response to Chris_Atkinson

Thanks Chris,

Could be that, I guess. I've scheduled and update to T05. Will report back. 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-07-20 11:02 AM

All excellent questions by Chris. Apart from that, can you send the relevant log? Please blur out any sensitive data. I can tell you from my experience, below is what I found works best.

Andy

https://community.checkpoint.com/t5/General-Topics/https-inspection-tip-feedback-suggestion/m-p/2530...

Best,
Andy
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events