Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
r1der
Advisor

End users get different website error if it fails to load - Failed to connect to the WWW server

 
 

Hello everyone,

Anyone know where I should I start looking into to resolve this issue?:

When an end-user tries going to a website that is unreachable or takes too long to respond, CheckPoint takes them to a page that says "Error, FW-1 at firewall01: Failed to connect to the WWW server.".

When I go to the same page, it gives me the generic "Can't reach this page" error message. 

I was thinking it would be better if the end users get the "Can't reach this page" message vs. the firewall error message in case they are troubleshooting with a vendor or something.

Thanks,

 

 

0 Kudos
6 Replies
Chris_Atkinson
Employee Employee
Employee

Are you able to share more about your environment, for example is the gateway acting as a proxy for some users and not others?

CCSM R77/R80/ELITE
0 Kudos
r1der
Advisor

Sorry for not providing much details upfront. I wasn't sure what info to provide that might be related to this error.
If I understand correctly, the gateway is acting as proxy for all users.
We do have a Palo Alto firewall in front of our firewall that NATs everything through to our CP firewall.
We have a Smart-210 and (2) 5100 appliance in a cluster.

 

Edit: My previous answer was wrong. This setting is off in case this was the question:

 
 

https.PNG

 

 

0 Kudos
PhoneBoy
Admin
Admin

That looks like a message from the HTTP Security Server; which suggests either a really old version or a legacy configuration of sorts.
What is the precise rule that is accepts the relevant traffic?

0 Kudos
r1der
Advisor

That could be the case. This firewall has been upgraded 2-3x since R77(?). 

The rule that accept this traffic is the General Web rule we have that allows outbound HTTPS

Source: Internal Network Range
Destination: Negated (cluster)
Service/App: http/https

There is also another rule that allows admins access to any service/apps. 

With this rule I reach the generic web error. With the rule above, the end user reaches the "ERROR...failed to connect to the WWW server".

Source: Admin Account
Destination: Any
Service/App: Any

Hope that helps.

 

 

 

0 Kudos
the_rock
Legend
Legend

Do you have anything https inspection related enabled?

Andy

0 Kudos
r1der
Advisor

We have the default rule for inspecting https but it is not enabled.

httpsinsp.PNG

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events