Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
796570686578
Collaborator
Jump to solution

Issue with url filtering

Hey everyone, 

I am currently experiencing some weird behavior which I have not seen before. An application on a server tries to establish an HTTPS connections to a certain host, but URL Filtering is rejecting the connection although we rule in place which should allow the connection. We are not using HTTPS Inspection.

Reject Log:reject_log.png

 

 

 

According to the Logs, the traffic currently matches the following rule. The Object P_Server_BLOCKED contains the Vehicles Category:

matched_rule.png

 

Right above the drop rule, we have the following rule to whitelist applications/URLs, which generally works fine:

 

rule_that_should_match.png

I tried adding axat1.audatex.net and gtl-services.at to the whitelist without any success:

whitelist_1.pngwhitelist_2.png

 

 

 

 

 

 

 

 

 

 

I obviously already installed the policy but even with these objects, traffic is being rejected.

I have investigated this with a tcpdump so far and can see that there is a "Client Hello" message, but no response from the server. My guess is that this is where the gateway drops/rejects the traffic? If my memory serves me correctly, the gateway will try to get the server certificate. A reverse lookup on the IP 185.168.123.19 returns axat1.audatex.net but there doesn't seem to be a web server listening on that hostname. gtl-services.at seems to be hosted on the same host and has a valid certificate(DigiCert Global G2 TLS RSA SHA256 2020 CA1).

I checked the trusted CAs in Smart Dashboard and found an entry for DigiCert Global Root G2. Are DigiCert Global Root G2 and DigiCert Global G2 TLS RSA SHA256 2020 CA1 the same?

We have automatic CA Updates enabled, and I have also performed a manual update but the DigiCert CA was not part of the update.

 

Does anyone have an idea what else I could look into or how to resolve this issue?

 

Thank you and best regards

yephex

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

We use SNI verification to confirm what the client is trying to connect to.
This includes validating the certificate presented by the server by having the gateway connect to the server independently.
Sounds like that process is failing.
You may need to get the TAC involved here: https://help.checkpoint.com 

View solution in original post

0 Kudos
11 Replies
the_rock
Legend
Legend

Is this option enabled in legacy smart console?

Andy

 

 

 

Screenshot_1.png

 

0 Kudos
796570686578
Collaborator

Hello Andy,

I just checked, it is indeed enabled.

 

Best regards

0 Kudos
the_rock
Legend
Legend

I also attached zip file with most updated CA list that can be imported via legacy smart console (same screenshot I sent in the last response). Just a small disclaimer...if you upload the file, MAKE SURE to back everything up beforehand. I gave it to people before and there was never an issue, but you never know, better be safe than sorry : - )

Andy

0 Kudos
796570686578
Collaborator

Hey, 

thank you! According to the MD5 sum, this is the same updateFile.zip as from https://support.checkpoint.com/results/download/130286 correct? I imported it earlier, but as the DigiCert was not in "Certificates that will be added" list, I didn't actually update the trusted CAs. Should I update it anyway and see if it works?

cert_update.png

Thanks for your help, I appreciate it!

0 Kudos
the_rock
Legend
Legend

Seems like it matches, yes

Andy

 

[Expert@CP-management:0]# sha1sum updateFile.zip
14bd7595a3e70d0b1e00c1728ac9dc232cc2714d updateFile.zip
[Expert@CP-management:0]# ls -lh
total 504K
-rw-rw---- 1 admin root 66 Nov 30 13:32 last_revision_DC.xml
-rw-rw---- 1 admin root 500K Nov 30 13:32 updateFile.zip
[Expert@CP-management:0]# cpinfo -y fw1

This is Check Point CPinfo Build 914000239 for GAIA
[FW1]
HOTFIX_WEBCONSOLE_AUTOUPDATE
HOTFIX_VCE_R81_20_AUTOUPDATE
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_NGM_DOCTOR_AUTOUPDATE
HOTFIX_GOT_TPCONF_MGMT_AUTOUPDATE
HOTFIX_GOT_MGMT_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 41

FW1 build number:
This is Check Point Security Management Server R81.20 - Build 008
This is Check Point's software version R81.20 - Build 018

[Expert@CP-management:0]#

0 Kudos
796570686578
Collaborator

Thanks for checking! I am going to update the Trusted CA list on monday, since I need confirmation from the customer for every change. Let's see if it will work. If it doesn't, do you have any other advice? Or should I open a case with TAC?

0 Kudos
the_rock
Legend
Legend

Personally, I would need to see it for myself to draw any further conclusions, if you will. Happy to do remote if you allow it, just message me directly and we can check, not an issue.

Let me know.

Best,

Andy

0 Kudos
796570686578
Collaborator

I really appreciate the offer, thank you! I know that you are a trusted member of the community and basically part of the CP family but unfortunately company policies won't allow it, so I kindly need to refuse the offer 😞 

 

the_rock
Legend
Legend

No problem at all 🙂

Best,

Andy

0 Kudos
PhoneBoy
Admin
Admin

We use SNI verification to confirm what the client is trying to connect to.
This includes validating the certificate presented by the server by having the gateway connect to the server independently.
Sounds like that process is failing.
You may need to get the TAC involved here: https://help.checkpoint.com 

0 Kudos
796570686578
Collaborator

Thank you, I will check if I can perform a debug on the SNI verification and troubleshoot further, in case I am unsuccessful, I am going to open a TAC case. Will try to update with a solution if there is one.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events