This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2021-01-07 05:07 PM

HTTPS inspection issue

Hello everyone and Happy New Year! 🙂

 

I wanted to post this to see if anyone has any suggestions at all. So I worked with escalation guy on it and he could not really offer a whole lot sadly. So, here is the story...customer has cloud smart-1 mgmt (though I dont think thats overly relevant) and 2 6400 gateways in HA cluster. We enabled https inspection and created simple ordered url layer with blacklist first and then any any allow at the bottom (I know thats recommendation, as odd as I find that, but whitelist first does not seem to work).

So what happens is that if we test PC from behind internal interface (10.50.0.135), we see it gets accepted on network layer, inline layer 5 and then certain categories are supposed to be blocked on rule 1 of ordered url layer, which does NOT happen.

To make things even worse, not even Internet access on that PC works, unless we create bypass https inspection rule for whole 10.50 net...which is pointless, since it defeats the purpose of even using https inspection.

Then TAC finds out that not even wstlsd process is working on gateway, so guy said there is noting to debugs. We tried disabling url filtering, app control. https blades, no go. Also rebooted, same issue.

These are brand new firewalls with latest R80.40 and jumbo hotfix...Im totally lost as far as why this happens. Maybe Im wrong when I say this, but if rule in network layer allows that PC to go anywhere on the Internet, should not url ordered layer still block the categories listed? As per escalation, thats totally fine, but I still have some doubts...

Any advice would be appreciated!

0 Kudos
4 Replies
Vincent_Bacher
Advisor
Advisor
‎2021-01-07 11:27 PM

Unless I missed something in your post, the design with Access Control Layer and Application Control / URL Filter Layer should basically work.
Since you are talking about https inspection: Have you tried to access an unencrypted http page, like http://apache.org?
Is it possible to access such a page or does that not work either? Is categorization correct here?

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
the_rock
Legend
Legend
‎2021-01-08 04:15 AM

Hi Vincent,

 

See, even http access is very random, so that part makes no sense either.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-08 05:16 PM

Can you send me the TAC SR in a PM?

0 Kudos
the_rock
Legend
Legend
‎2021-01-08 05:44 PM

Its under control now : ). Looks like something got reset in guidbedit when we tried removing old cert for https inspection with Tier 3 few days ago. I will work with escalations again on Monday to see if we can sort out block page notification issue. Have a great weekend!!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events