This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
YvheniiK
Participant
‎2025-04-24 09:12 AM
Jump to solution

HTTPS Inspection logs and App Control with URL Filtering

Hello,
I'm a bit confused about the logs' reflection on URL filtering in the Check Point NGFW.

For example, I configured HTTPS inspection and App and URL filtering on the device.
go to YouTube and then see the logs about visiting youtube.com.

App-inspect.png


but I see just some general information in the application logs and URL filtering logs
In HTTPS inspection logs, I can see information about the video resource that I watched.

HHTPS-inspect.png

 

Why don't I see it on the application or URL filtering logs?

I mean the information about visiting rr4---sn-5hne6nsk.googlevideo.com.

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-04-25 02:53 AM
In response to YvheniiK
Jump to solution

You have not indicated how the logging/track field is currently configured for your related policy/rules?

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
(1)
9 Replies
Lesley
MVP Gold
MVP Gold
‎2025-04-24 01:36 PM
Jump to solution

Both URL filtering and https inspections have different values that are in a log entry. I posted them below. It could that there is a difference between them. You could open the full log entry and compare them with the table below. In case of the youtube.com log entry I suspect it just uses the info from the certificate itself *.google.com has also youtube.com in it. 

Field Name Field Display Name Type Description Indexed Added in Version
Security Gateway - HTTPS Inspection Fields - R81.20 and lower
https_inspection_action Inspection Action string HTTPS Inspection action (Inspect/Bypass/Error) Yes  
https_inspection_rule_id HTTPS Inspection Rule ID string ID of the matched rule Yes  
https_inspection_rule_name HTTPS Inspection Rule Name string Name of the matched rule Yes  
app_properties Additional Categories string List of all found categories (match table) No  
resource Resource string HTTPS resource
Possible values:
  • SNI
  • Domain Name
 Yes  
https_validation HTTPS Validation string Precise error, describing the HTTPS inspection failure Yes  
description Description string Additional information about the "https_validation" field Yes  
reason Reason string Explains the action decision Yes  

 

Field Name Field Display Name Type Description Indexed Added in Version
Security Gateway - Application Control & URL Filtering Fields
appi_name Application Name string Application name (match table) Yes  
app_desc Application Description string Application description (match table) No  
app_id Application ID int Application ID (match table) No  
app_properties Additional Categories string Application categories (match table) Yes  
app_risk Application Risk int Application risk (match table)
Possible values:
  • 0 - Unknown
  • 1 - Very low
  • 2 - Low
  • 3 - Medium
  • 4 - High
  • 5 - Critical
 Yes  
app_rule_id Application Rule ID string Rule number Yes  
app_rule_name Application Rule Name string Rule name No  
app_sig_id Application Signature ID string The signature ID, by which the application was detected (match table) Yes  
categories Categories string Matched categories Yes  
certificate_resource Resource string HTTPS resource Possible values:
  • SNI
  • Domain Name (DN)
 Yes R80.40
certificate_validation Certificate Validation string Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature Yes R80.40
description Description string Additional explanation about the certificate validation failure Yes R80.40
usercheck_incident_uid UserCheck ID string UserCheck incident ID No  
usercheck_reference UserCheck Reference string UserCheck reference No  
resource Resource string HTTP connection resource Yes  
browse_time Browse Time time Application session browse time Yes  
limit_requested N/A int Indicates whether data limit was requested for the session Yes  
limit_applied N/A int Indicates whether the session was actually date-limited Yes  
dropped_outgoing N/A int Number of outgoing dropped packets Yes  
dropped_incoming N/A int Number of incoming dropped packets Yes  
dropped_total N/A int Number of dropped packets (both incoming and outgoing) Yes  
suppressed_logs Suppressed Logs int Number of connections/HTTP sessions that were aggregated in this application session log No  
match_id N/A int Mapping of matched rule to its matched application (match table) Yes  
client_type_os N/A string Client OS detected in the HTTP request Yes  
referrer N/A string The referrer header, if exists Yes  
name N/A string Application name Yes  
properties N/A string Application categories (match table) Yes  
risk N/A int Application risk Yes  
sig_id N/A string Application's signature ID, by which it was detected Yes  
desc N/A string Override application description Yes  
referrer_self_uid N/A guid UUID of the current log Yes  
referrer_parent_uid N/A guid Log UUID of the referring application Yes  
needs_browse_time N/A int Browse time required for the connection Yes  
security_inzone N/A string Source security zone Yes  
security_outzone N/A string Destination security zone Yes  
url URL string Matched URL Yes  
app_byte_ps_in Application Byte/Sec In int Incoming traffic of an application (Bytes per Second) No  
app_byte_ps_out Application Byte/Sec Out/td> int Outgoing traffic of an application (Bytes per Second) No  
app_pack_ps_in Application Packet/Sec In int Incoming traffic of an application (Packets per Second) No  
app_pack_ps_out Application Packet/Sec Out/td> int Outgoing traffic of an application (Packets per Second) No  
matched_application Matched Application string Name of the matched application No  
-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
YvheniiK
Participant
‎2025-04-25 02:48 AM
In response to Lesley
Jump to solution

That is clear to me, and I know that HTTPS-inspection and Application Control & URL Filtering loglines have different fields.
My question here is more about a count of these loglines.
When I have a YouTube session, I see that I have many more loglines in HTTPS-inspection than in Application Control & URL Filtering.
I have just 1 logline in Application Control & URL Filtering about youtube session, but 4-6 loglines (where specified various resources and dst IP) in HTTPS-inspection in the scope of this youtube session.
That means that if I want to get full information about web-filtering, then I need to pay attention to both logs "HTTPS-inspection" and "Application Control & URL Filtering".
And the worst thing here is that you can't correlate these two types of logs (by sessionid,loguid or somewhere else)

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-04-25 02:53 AM
In response to YvheniiK
Jump to solution

You have not indicated how the logging/track field is currently configured for your related policy/rules?

CCSM R77/R80/ELITE
0 Kudos
(1)
YvheniiK
Participant
‎2025-04-25 07:36 AM
In response to Chris_Atkinson
Jump to solution

I configured it like this Policy.png

track.png

Also

Logs-sett.png

0 Kudos
YvheniiK
Participant
‎2025-04-25 09:35 AM
In response to Chris_Atkinson
Jump to solution

Oh sorry, 

enabling extended log solves this problem.
Thank you!

(1)
the_rock
MVP Platinum
MVP Platinum
‎2025-04-25 09:36 AM
In response to YvheniiK
Jump to solution

Good job @YvheniiK 

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-04-25 03:45 AM
In response to YvheniiK
Jump to solution

I totally see the point @Chris_Atkinson made here. The way logging options are configured may have something to do with it.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-04-24 04:07 PM
Jump to solution

I believe thats normal. I also see the same in my R82 lab as well.

Andy

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-04-24 05:06 PM
Jump to solution

Which level of logging is configured for the matching rule in the track column, remember there are additional options here i.e. Extended and Detailed.

Session vs connection logs may also be a factor...

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events