This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jberg712
Collaborator
‎2024-08-14 08:55 AM

Google Searches Odd Behavior

I wanted to reach out to see if anyone has been experiencing similar issues.  We've had several users indicate to us that when they do Google searches and attempt to click on a link, it just hangs and spins.  You can click the address bar and hit enter a couple of times or re-click the link a few times and it finally goes to the link.  I can take the system out from behind the firewall and everything works seamlessly.  I've even put a troubleshooting rule to allow all outbound for myself to test and I still experience the same issue.  Strangely enough, if I use firefox, I don't experience the issue.  It's in Edge and Chrome which led me to believe a recent update occurred to created a problem.  But again, when I take the system out from behind the firewall, everything works fine.  So I don't know if there's a component in Chrome/Edge that CheckPoint is struggling with parsing or what.  Again, even adding a rule that allows all outbound access doesn't change the behavior.  Has anyone else come across this behavior?

0 Kudos
44 Replies
the_rock
Legend
Legend
‎2024-08-14 08:57 AM

Never had that issue myself, even in the lab with ssl inspection on. Do you use ssl inspection? Regardless, when did the issue happen? Is it affecting all users?

Andy

0 Kudos
jberg712
Collaborator
‎2024-08-14 10:07 AM
In response to the_rock

We do use SSL Inspection.  It appears to be affecting all users behind the gateway.  I know some services with Google are inspected and some are not.

0 Kudos
the_rock
Legend
Legend
‎2024-08-14 12:38 PM
In response to jberg712

Is it same behavior no matter what browser they use? I attached a doc with some screenshots of how I have this set up in the lab and works fine.

Andy

 

Preview file
1079 KB
0 Kudos
AdiGH
Employee
Employee
‎2024-08-14 09:05 AM

Are you using Harmony Browse or Harmony Endpoint products? or only the firewall? 

0 Kudos
jberg712
Collaborator
‎2024-08-14 10:09 AM
In response to AdiGH

We are not using Harmony Endpoint or Browse.  It's only Secure Gateway with Firewall, App Cntrl, URL filtering, HTTPS Inspection, along with threat protection like IPS, Antibot, Antivirus.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-15 10:13 AM
In response to jberg712

You posted this issue in a space for Harmony products, which are Endpoint based.
This sounds like a gateway issue, so I'm moving this thread to the correct area.

0 Kudos
Lesley
Authority Authority
Authority
‎2024-08-14 11:06 AM

I think this one is the issue:

https://support.checkpoint.com/results/sk/sk111754

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
the_rock
Legend
Legend
‎2024-08-14 12:29 PM
In response to Lesley

Definitely could be related...

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-15 10:15 AM

Please provide version/JHF of gateway as well as any logs that occur during the time this problem is occuring.
I would explicitly block QUIC in your access policy if you have not already as this is not supported for HTTPS Inspection until R82.

0 Kudos
jberg712
Collaborator
‎2024-08-20 07:17 AM

I actually did some more digging into this.  (We have the QUIC protocol disabled and have for sometime now across the board).  What I noticed is that there is some odd correlation between Chrome/Edge and the HTTP2 protocol.  When I disable HTTP2 by using the flag on the shortcut --disable-http2, traffic to sites works tremendously better.  The logs are indicating when I go to a site like google and do a search, I'm matched properly to the correct rule, however, at some point a Redirect log is generated and the redirect does not match properly and it's being picked up on the a compliance rule.  The best example I have so far of this is a user in marketing department who uses facebook to update our facebook page.  I'll attach the screenshots.

I've dug around and all I can see when it comes to HTTP2 is to disable strict hold on SK116022 along with SK180257 and SK180673.  I'm afraid to disable inspecting of HTTP2 with fear that leads to things being vulnerable during web browsing for the end user.  Disabling strict hold didn't help the situation.  

I have a TAC ticket open about this.  Are there any recommendations/best practices when it comes to HTTP2 protocol?  It's been out for nearly 10 years now so I can't imagine why there would still be issues with it.  Unless Chrome made some update in the latest releases that did something funky with it.  I can't find good info on release notes for Chrome/Edge releases.  I say that because in one scenario I put on Firefox for another user and his works without issue unlike Chrome/Edge.  It's like a perfect mixture of chaos between Chrome, CheckPoint, and HTTP2.

We are currently on R81.20 Take 76

Preview file
120 KB
Preview file
156 KB
Preview file
126 KB
Preview file
159 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-20 08:18 AM
In response to jberg712

We support HTTP/2 for HTTPS Inspection as of R81 (though I believe it requires USFW support).
What hardware is this on?
HTTP/3 will be supported for HTTPS Inspection in R82.

jberg712
Collaborator
‎2024-08-20 08:20 AM
In response to PhoneBoy

It's on a 6600 SGW.  

0 Kudos
jberg712
Collaborator
‎2024-08-20 11:19 AM
In response to PhoneBoy

@PhoneBoy Question regarding USFW and KSFW.  I believe in the past we've always been recommended to use KSFW.  I believe when we were running R81.10 on our 6600, we did end up swapping to KSFW because of strange performance issues.  It may have reverted back to USFW when we did the upgrade to R81.20.  What is usually recommended for overall performance?  Should we stay with USFW or consider moving to KSFW?

0 Kudos
Lesley
Authority Authority
Authority
‎2024-08-20 11:38 AM
In response to jberg712

This depends. Sharing below output could help to answer the question. 

Best Practices

Use the factors listed below to select the best CoreXL Firewall mode for your Security Gateway - User Space (USFW) or Kernel Space (KSFW):

Factor Testing command Recommended
Firewall
mode
80% or more of the traffic undergoes the Fast / Accelerated path fwaccel stats -s KSFW
70% or more of the traffic undergoes the Firewall / Slow path fwaccel stats -s KSFW
30% or more of the traffic undergoes the PXL / Medium path fwaccel stats -s USFW
Security Gateway is configured with more CoreXL SND instances than CoreXL Firewall instances,
or when CoreXL SND instances are the bottleneck		 fw ctl affinity -l -r KSFW
Security Gateway is configured with more than 38 CoreXL Firewall instances fw ctl affinity -l -r USFW
-------
If you like this post please give a thumbs up(kudo)! 🙂
(1)
jberg712
Collaborator
‎2024-08-20 11:50 AM
In response to Lesley

@Lesley  I was looking at that as well Lesley.  The part i'm having trouble understanding is the 'fw ctl affinity' results.

Here are the fwaccel stats:

fwaccel stats -s
Accelerated conns/Total conns : 18/14309 (0%)
LightSpeed conns/Total conns : 0/14309 (0%)
Accelerated pkts/Total pkts : 10138306524/10716219296 (94%)
LightSpeed pkts/Total pkts : 0/10716219296 (0%)
F2Fed pkts/Total pkts : 577912772/10716219296 (5%)
F2V pkts/Total pkts : 157378648/10716219296 (1%)
CPASXL pkts/Total pkts : 7960499954/10716219296 (74%)
PSLXL pkts/Total pkts : 2176883828/10716219296 (20%)
CPAS pipeline pkts/Total pkts : 0/10716219296 (0%)
PSL pipeline pkts/Total pkts : 0/10716219296 (0%)
QOS inbound pkts/Total pkts : 0/10716219296 (0%)
QOS outbound pkts/Total pkts : 0/10716219296 (0%)
Corrected pkts/Total pkts : 0/10716219296 (0%)

The 'fw ctl affinity' says this:  

fw ctl affinity -l -r
CPU 0:
CPU 1:
CPU 2: fw_3 (active)
cprid lpd mta_monitor cp_file_convertd usrchkd mpdaemon fwd wsdnsd rad cserver rtmd pepd watermark_cp_file_convertd in.aftpd in.msd scrubd in.ahclientd scanengine_b in.asessiond scrub_cp_file_convertd core_uploader pdpd in.emaild.mta vpnd in.acapd cprid cpd msgd
CPU 3: fw_2 (active)
cprid lpd mta_monitor cp_file_convertd usrchkd mpdaemon fwd wsdnsd rad cserver rtmd pepd watermark_cp_file_convertd in.aftpd in.msd scrubd in.ahclientd scanengine_b in.asessiond scrub_cp_file_convertd core_uploader pdpd in.emaild.mta vpnd in.acapd cprid cpd msgd
CPU 4: fw_1 (active)
cprid lpd mta_monitor cp_file_convertd usrchkd mpdaemon fwd wsdnsd rad cserver rtmd pepd watermark_cp_file_convertd in.aftpd in.msd scrubd in.ahclientd scanengine_b in.asessiond scrub_cp_file_convertd core_uploader pdpd in.emaild.mta vpnd in.acapd cprid cpd msgd
CPU 5: fw_0 (active)
cprid lpd mta_monitor cp_file_convertd usrchkd mpdaemon fwd wsdnsd rad cserver rtmd pepd watermark_cp_file_convertd in.aftpd in.msd scrubd in.ahclientd scanengine_b in.asessiond scrub_cp_file_convertd core_uploader pdpd in.emaild.mta vpnd in.acapd cprid cpd msgd
All:
Interface eth1: has multi queue enabled
Interface eth5: has multi queue enabled
Interface eth1-01: has multi queue enabled
Interface eth1-02: has multi queue enabled
Interface Mgmt: has multi queue enabled

I'm not sure how to read how many CoreXL instances vs CoreXL SND instances from these results.  Are you able to tell?

0 Kudos
Lesley
Authority Authority
Authority
‎2024-08-20 11:53 AM
In response to jberg712

Looks like 2 SND and the res FWK's to be sure verify with cpview -> cpu

You will see either CoreXL_SND or OTHER. And CoreXL_FW

-------
If you like this post please give a thumbs up(kudo)! 🙂
(1)
jberg712
Collaborator
‎2024-08-20 11:58 AM
In response to Lesley

CPview indicates 2 CPUs for CoreXL_SND and 4 CPUs for CoreXL_FW

 

CoreXLinfo_cpview.png

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-20 02:05 PM
In response to jberg712

From a performance perspective, the table @Lesley provided gives you a good idea when to use USFW.
Note that some features require USFW (e.g. HTTPS Inspection for TLS 1.3 and HTTP/2).
I suspect it will be the default mode in a future version.

0 Kudos
Lesley
Authority Authority
Authority
‎2024-08-20 10:45 AM
In response to jberg712

Hi,

Please check bug:

PRJ-51049,
PMTR-97496

Security Gateway

In some scenarios, websites that use HTTP2 protocol do not load properly.

 

This is solved in R81.20 take 79 (released yesterday for R81.20 and today for R81.10

-------
If you like this post please give a thumbs up(kudo)! 🙂
(1)
jberg712
Collaborator
‎2024-08-20 11:16 AM
In response to Lesley

Thank you for pointing and finding this out Lesley.  I'm going to prepare to update my management and gateways with this to see if this resolves the issue.  

0 Kudos
jberg712
Collaborator
‎2024-08-22 07:57 AM

Update on this...  I updated to Take 79.  Still having the odd behavior in Google searches.  I have a TAC case open about this.  Since the update though, I see logs indicating the 'URL Filtering - Internal System Error (0)'.  I've done some debugging and when I did the debug for APPI and NRB I found an error line stating: [ERROR]: rad_kernel_urlf_request_serialize: string len =4288 bigger than max 4096;

I can't seem to find anything more about this in SK's.  Below is a broader snippet of the log during the failure event.

@;3832104.2122417;22Aug2024 8:49:15.448813;[vs_0];[tid_0];[fw4_0];1:{global} appi_rad_uf_cmi_handler_is_enabled_ex: with _urlf_blade_enabled=0 -> *_enabled=1;
@;3832104.2122418;22Aug2024 8:49:15.448815;[vs_0];[tid_0];[fw4_0];1:{referrer} appi_clobs_observer_http_inspect_referrer: md5 is 2100488168;
@;3832104.2122419;22Aug2024 8:49:15.448817;[vs_0];[tid_0];[fw4_0];1:{referrer} [WARNING]: appi_clobs_observer_http_inspect_referrer: transaction's application is NULL;
@;3832104.2122420;22Aug2024 8:49:15.448818;[vs_0];[tid_0];[fw4_0];1:{observer} appi_clobs_observer_notify_exe_rb_event: returned retval 0;
@;3832104.2122421;22Aug2024 8:49:15.448833;[vs_0];[tid_2];[fw4_2];1:{policy} appi_rad_uf_cmi_handler_match_cb_handle_url: call rad_kernel_api_get_cached_resource;
@;3832104.2122422;22Aug2024 8:49:15.448857;[vs_0];[tid_1];[fw4_1];1:{policy} appi_rad_uf_cmi_handler_match_cb_handle_url: call rad_kernel_api_get_cached_resource;
@;3832104.2122423;22Aug2024 8:49:15.448867;[vs_0];[tid_2];[fw4_2];[172.16.16.31:53447 -> 108.177.122.147:443] [ERROR]: rad_kernel_urlf_request_serialize: string len =4288 bigger than max 4096;
@;3832104.2122424;22Aug2024 8:49:15.448871;[vs_0];[tid_2];[fw4_2];1:[172.16.16.31:53447 -> 108.177.122.147:443] {policy} [ERROR]: appi_rad_uf_cmi_handler_match_cb_handle_url: rad_kernel_api_async_get_resource_with_status_code() failed, error: Request flat buffer error;
@;3832104.2122425;22Aug2024 8:49:15.448874;[vs_0];[tid_2];[fw4_2];1:[172.16.16.31:53447 -> 108.177.122.147:443] {policy} [ERROR]: appi_rad_uf_cmi_handler_match_cb: appi_rad_uf_cmi_handler_match_cb_handle_url() failed;
@;3832104.2122426;22Aug2024 8:49:15.448876;[vs_0];[tid_2];[fw4_2];1:{global} appi_global_policy_get_fail_action: fail action is REJECT;
@;3832104.2122427;22Aug2024 8:49:15.448877;[vs_0];[tid_2];[fw4_2];1:{connection} appi_rad_uf_cmi_handler_match_cb: perform fail action [Reject];
@;3832104.2122428;22Aug2024 8:49:15.448890;[vs_0];[tid_1];[fw4_1];[172.16.16.31:53446 -> 108.177.122.147:443] [ERROR]: rad_kernel_urlf_request_serialize: string len =4275 bigger than max 4096;
@;3832104.2122429;22Aug2024 8:49:15.448891;[vs_0];[tid_2];[fw4_2];1:{policy} appi_rad_uf_cmi_handler_match_cb: ended;
@;3832104.2122430;22Aug2024 8:49:15.448894;[vs_0];[tid_1];[fw4_1];1:[172.16.16.31:53446 -> 108.177.122.147:443] {policy} [ERROR]: appi_rad_uf_cmi_handler_match_cb_handle_url: rad_kernel_api_async_get_resource_with_status_code() failed, error: Request flat buffer error;
@;3832104.2122431;22Aug2024 8:49:15.448897;[vs_0];[tid_1];[fw4_1];1:[172.16.16.31:53446 -> 108.177.122.147:443] {policy} [ERROR]: appi_rad_uf_cmi_handler_match_cb: appi_rad_uf_cmi_handler_match_cb_handle_url() failed;
@;3832104.2122432;22Aug2024 8:49:15.448899;[vs_0];[tid_1];[fw4_1];1:{global} appi_global_policy_get_fail_action: fail action is REJECT;
@;3832104.2122433;22Aug2024 8:49:15.448900;[vs_0];[tid_1];[fw4_1];1:{connection} appi_rad_uf_cmi_handler_match_cb: perform fail action [Reject];
@;3832104.2122434;22Aug2024 8:49:15.448912;[vs_0];[tid_1];[fw4_1];1:{policy} appi_rad_uf_cmi_handler_match_cb: ended;

0 Kudos
Lesley
Authority Authority
Authority
‎2024-08-22 08:03 AM
In response to jberg712

Is the issue still there if you bypass the following categories in HTTPS inspection?

Google Services and Google Cloud Platform Services

-------
If you like this post please give a thumbs up(kudo)! 🙂
jberg712
Collaborator
‎2024-08-22 08:09 AM
In response to Lesley

Give me a moment Lesley and I'll test

0 Kudos
the_rock
Legend
Legend
‎2024-08-22 08:11 AM
In response to jberg712

Or try below.

Andy

 

Screenshot_1.png

0 Kudos
the_rock
Legend
Legend
‎2024-08-22 08:10 AM
In response to Lesley

Very good point @Lesley 

0 Kudos
jberg712
Collaborator
‎2024-08-22 08:15 AM
In response to Lesley

I bypassed Google services (all of them) and I do not get the error.  Everything loads like it's supposed to.  So it would indicate something with HTTPS inspection?

the_rock
Legend
Legend
‎2024-08-22 08:25 AM
In response to jberg712

100%, if bypass works.

0 Kudos
the_rock
Legend
Legend
‎2024-08-22 08:03 AM
In response to jberg712

URLF database, does it show updated in smart console?

Andy

0 Kudos
jberg712
Collaborator
‎2024-08-22 08:07 AM
In response to the_rock

Andy, it states it's up-to-date, but the latest version is 141202408011245 (Created on 8/1/2024 7:45 AM)  Is that the most updated DB?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events