Hey everyone,
I am currently experiencing some weird behavior which I have not seen before. An application on a server tries to establish an HTTPS connections to a certain host, but URL Filtering is rejecting the connection although we rule in place which should allow the connection. We are not using HTTPS Inspection.
Reject Log:
According to the Logs, the traffic currently matches the following rule. The Object P_Server_BLOCKED contains the Vehicles Category:
Right above the drop rule, we have the following rule to whitelist applications/URLs, which generally works fine:
I tried adding axat1.audatex.net and gtl-services.at to the whitelist without any success:
I obviously already installed the policy but even with these objects, traffic is being rejected.
I have investigated this with a tcpdump so far and can see that there is a "Client Hello" message, but no response from the server. My guess is that this is where the gateway drops/rejects the traffic? If my memory serves me correctly, the gateway will try to get the server certificate. A reverse lookup on the IP 185.168.123.19 returns axat1.audatex.net but there doesn't seem to be a web server listening on that hostname. gtl-services.at seems to be hosted on the same host and has a valid certificate(DigiCert Global G2 TLS RSA SHA256 2020 CA1).
I checked the trusted CAs in Smart Dashboard and found an entry for DigiCert Global Root G2. Are DigiCert Global Root G2 and DigiCert Global G2 TLS RSA SHA256 2020 CA1 the same?
We have automatic CA Updates enabled, and I have also performed a manual update but the DigiCert CA was not part of the update.
Does anyone have an idea what else I could look into or how to resolve this issue?
Thank you and best regards
yephex
Hey,
thank you! According to the MD5 sum, this is the same updateFile.zip as from https://support.checkpoint.com/results/download/130286 correct? I imported it earlier, but as the DigiCert was not in "Certificates that will be added" list, I didn't actually update the trusted CAs. Should I update it anyway and see if it works?
Thanks for your help, I appreciate it!
| User | Count |
|---|---|
| 21 | |
| 20 | |
| 16 | |
| 8 | |
| 8 | |
| 6 | |
| 6 | |
| 5 | |
| 5 | |
| 5 |
Thu 07 Nov 2024 @ 05:00 PM (CET)
What's New in CloudGuard - Priorities, Trends and Roadmap InnovationsTue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 12 Nov 2024 @ 02:00 PM (CET)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - EMEATue 12 Nov 2024 @ 11:00 AM (EST)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (AMERICAS)Tue 19 Nov 2024 @ 12:00 PM (MST)
Salt Lake City: Infinity External Risk Management and Harmony SaaSWed 20 Nov 2024 @ 02:00 PM (MST)
Denver South: Infinity External Risk Management and Harmony SaaSTue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management WorkshopWed 04 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 2: Cloud Risk Management Workshop
