This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2021-08-25 05:21 PM
Jump to solution

HTTPS inspection block page issue

Hey everyone,

 

I hope someone can shed some light on this and provide some suggestions : ). So, here is the situation.

Customer has R81 mgmt and R80.40 jumbo 120 HA cluster. All works fine, but for some odd reason, with https inspection enabled, pages are blocked as per desired categories, BUT, user check block page seems to work super random. So say you go to gambling site, it gets blocked on chrome, but not on safari on mac...then on windows, its also very random, really depends site you go to if blocked page notification comes up or not.

We verified all the rules, logs show correct action and categories, so Im really not sure how to troubleshoot this. We do have TAC case, but wanted to do proper testing myself first.

 

Not sure if this info is worth much, but say if you try facebook.com, it simply shows connection was reset, yet log shows facebook is blocked according to right rule. 

 

If someone could give any suggestions/guidance on this, would be greatly appreciated!!

 

Thanks as always.

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
a week ago
In response to Teddy_Brewski
Jump to solution

This was a while ago, but I remember it worked fine after R81 upgrade, no issues. I would say you definitely need ssl inspection on for this to work right.

Andy

View solution in original post

0 Kudos
12 Replies
PhoneBoy
Admin
Admin
‎2021-08-25 06:20 PM
Jump to solution

All of that sounds like some pages are NOT getting HTTPS Inspection applied as that is required for the block page to show up.
If HTTPS Inspection isn't enabled, or isn't happening for some reason, the only option to block a connection is a TCP RST.

0 Kudos
the_rock
Legend
Legend
‎2021-08-25 06:30 PM
In response to PhoneBoy
Jump to solution

I agree with you 100%, but the question is why...any good approach to this behavior?

 

Thanks as always.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-25 06:39 PM
In response to the_rock
Jump to solution

If it were me, I'd probably be looking at debugging wstlsd.
TAC may have some other suggestions as well.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

the_rock
Legend
Legend
‎2021-08-25 06:41 PM
In response to PhoneBoy
Jump to solution

That sounds good...I may call into TAC tomorrow to see if they have any other suggestions. Tx!

 

A.

0 Kudos
Teddy_Brewski
Collaborator
a week ago
Jump to solution

Hi @the_rock 

Do you recall any tips from TAC?

We're experiencing the same(?) issue with 1555 SMB appliances running R81.10.17 (996004508) with Application Control and URL Filtering blades enabled.  HTTPS Inspection is not enabled, but we do have "Categorize HTTPS websites" checked.

Accessing http websites that fall into a blocked category results in a blocked page -- no issues here.

Accessing the same website over https doesn't produce the blocked page, but rather Connection Reset error in the browser. Also, there is some random behavior observed when nothing is blocked with certain browsers.

Logs do show correct action and category.

Thanks!

 

0 Kudos
the_rock
Legend
Legend
a week ago
In response to Teddy_Brewski
Jump to solution

This was a while ago, but I remember it worked fine after R81 upgrade, no issues. I would say you definitely need ssl inspection on for this to work right.

Andy

0 Kudos
Tom_Hinoue
Advisor
Advisor
a week ago
In response to Teddy_Brewski
Jump to solution

For locally managed SMBs, we have confirmed this issue occurs in R81.10.15/R81.10.17 and a SR is opened to TAC.
A hotfix should be available now for this issue, so if interested open a case to TAC and they should be able to assist 🙂
If you need the SR number, you can DM me and I will be happy to help.

Teddy_Brewski
Collaborator
a week ago
In response to Tom_Hinoue
Jump to solution

Thank you @Tom_Hinoue ! Good to know we're not alone. 🙂 Going to DM in a second.

Tom_Hinoue
Advisor
Advisor
a week ago
In response to Teddy_Brewski
Jump to solution

gotcha. Will reply in DM regarding what I know.

0 Kudos
the_rock
Legend
Legend
a week ago
In response to Teddy_Brewski
Jump to solution

On another note, but in the same context, check out what @_Val_ said on November 23rd, 2021 in below post, its perfect explanation.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Categorize-HTTPS-Websites/m-p/134729/emcs_t/S2...

0 Kudos
PhoneBoy
Admin
Admin
a week ago
In response to Teddy_Brewski
Jump to solution

To show a block page, we need to issue an HTTP Redirect to the UserCheck portal.
For HTTPS connections, this is impossible to do unless HTTPS Inspection is enabled.

the_rock
Legend
Legend
a week ago
In response to PhoneBoy
Jump to solution

@Teddy_Brewski What @PhoneBoy said is 100% correct. Think of the fw as MITM (man in the middle) in this case...if ssl inspection is off, there is literally nothing to "intercept".

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events