This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
r1der
Advisor
‎2022-05-25 10:21 AM

End users get different website error if it fails to load - Failed to connect to the WWW server

 
 

Hello everyone,

Anyone know where I should I start looking into to resolve this issue?:

When an end-user tries going to a website that is unreachable or takes too long to respond, CheckPoint takes them to a page that says "Error, FW-1 at firewall01: Failed to connect to the WWW server.".

When I go to the same page, it gives me the generic "Can't reach this page" error message. 

I was thinking it would be better if the end users get the "Can't reach this page" message vs. the firewall error message in case they are troubleshooting with a vendor or something.

Thanks,

 

 

Preview file
4 KB
Preview file
24 KB
0 Kudos
6 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-05-27 03:30 AM

Are you able to share more about your environment, for example is the gateway acting as a proxy for some users and not others?

CCSM R77/R80/ELITE
0 Kudos
r1der
Advisor
‎2022-05-27 03:56 PM
In response to Chris_Atkinson

Sorry for not providing much details upfront. I wasn't sure what info to provide that might be related to this error.
If I understand correctly, the gateway is acting as proxy for all users.
We do have a Palo Alto firewall in front of our firewall that NATs everything through to our CP firewall.
We have a Smart-210 and (2) 5100 appliance in a cluster.

 

Edit: My previous answer was wrong. This setting is off in case this was the question:

 
 

https.PNG

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2022-05-27 05:36 AM

That looks like a message from the HTTP Security Server; which suggests either a really old version or a legacy configuration of sorts.
What is the precise rule that is accepts the relevant traffic?

0 Kudos
r1der
Advisor
‎2022-05-27 04:05 PM
In response to PhoneBoy

That could be the case. This firewall has been upgraded 2-3x since R77(?). 

The rule that accept this traffic is the General Web rule we have that allows outbound HTTPS

Source: Internal Network Range
Destination: Negated (cluster)
Service/App: http/https

There is also another rule that allows admins access to any service/apps. 

With this rule I reach the generic web error. With the rule above, the end user reaches the "ERROR...failed to connect to the WWW server".

Source: Admin Account
Destination: Any
Service/App: Any

Hope that helps.

 

 

 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-05-27 04:47 PM
In response to r1der

Do you have anything https inspection related enabled?

Andy

Best,
Andy
0 Kudos
r1der
Advisor
‎2022-05-31 09:46 AM
In response to the_rock

We have the default rule for inspecting https but it is not enabled.

httpsinsp.PNG

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events