Solved: Issue with url filtering

796570686578 · ‎2024-03-15

Hey everyone,

I am currently experiencing some weird behavior which I have not seen before. An application on a server tries to establish an HTTPS connections to a certain host, but URL Filtering is rejecting the connection although we rule in place which should allow the connection. We are not using HTTPS Inspection.

Reject Log:

According to the Logs, the traffic currently matches the following rule. The Object P_Server_BLOCKED contains the Vehicles Category:

Right above the drop rule, we have the following rule to whitelist applications/URLs, which generally works fine:

I tried adding axat1.audatex.net and gtl-services.at to the whitelist without any success:

I obviously already installed the policy but even with these objects, traffic is being rejected.

I have investigated this with a tcpdump so far and can see that there is a "Client Hello" message, but no response from the server. My guess is that this is where the gateway drops/rejects the traffic? If my memory serves me correctly, the gateway will try to get the server certificate. A reverse lookup on the IP 185.168.123.19 returns axat1.audatex.net but there doesn't seem to be a web server listening on that hostname. gtl-services.at seems to be hosted on the same host and has a valid certificate(DigiCert Global G2 TLS RSA SHA256 2020 CA1).

I checked the trusted CAs in Smart Dashboard and found an entry for DigiCert Global Root G2. Are DigiCert Global Root G2 and DigiCert Global G2 TLS RSA SHA256 2020 CA1 the same?

We have automatic CA Updates enabled, and I have also performed a manual update but the DigiCert CA was not part of the update.

Does anyone have an idea what else I could look into or how to resolve this issue?

Thank you and best regards

yephex

PhoneBoy · ‎2024-03-15

We use SNI verification to confirm what the client is trying to connect to.
This includes validating the certificate presented by the server by having the gateway connect to the server independently.
Sounds like that process is failing.
You may need to get the TAC involved here: https://help.checkpoint.com

View solution in original post

the_rock · ‎2024-03-15

Is this option enabled in legacy smart console?

Andy

796570686578 · ‎2024-03-15

Hello Andy,

I just checked, it is indeed enabled.

Best regards

the_rock · ‎2024-03-15

I also attached zip file with most updated CA list that can be imported via legacy smart console (same screenshot I sent in the last response). Just a small disclaimer...if you upload the file, MAKE SURE to back everything up beforehand. I gave it to people before and there was never an issue, but you never know, better be safe than sorry : - )

Andy

796570686578 · ‎2024-03-15

Hey,

thank you! According to the MD5 sum, this is the same updateFile.zip as from https://support.checkpoint.com/results/download/130286 correct? I imported it earlier, but as the DigiCert was not in "Certificates that will be added" list, I didn't actually update the trusted CAs. Should I update it anyway and see if it works?

Thanks for your help, I appreciate it!

the_rock · ‎2024-03-15

Seems like it matches, yes

Andy

[Expert@CP-management:0]# sha1sum updateFile.zip
14bd7595a3e70d0b1e00c1728ac9dc232cc2714d updateFile.zip
[Expert@CP-management:0]# ls -lh
total 504K
-rw-rw---- 1 admin root 66 Nov 30 13:32 last_revision_DC.xml
-rw-rw---- 1 admin root 500K Nov 30 13:32 updateFile.zip
[Expert@CP-management:0]# cpinfo -y fw1

This is Check Point CPinfo Build 914000239 for GAIA
[FW1]
HOTFIX_WEBCONSOLE_AUTOUPDATE
HOTFIX_VCE_R81_20_AUTOUPDATE
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_NGM_DOCTOR_AUTOUPDATE
HOTFIX_GOT_TPCONF_MGMT_AUTOUPDATE
HOTFIX_GOT_MGMT_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 41

FW1 build number:
This is Check Point Security Management Server R81.20 - Build 008
This is Check Point's software version R81.20 - Build 018

[Expert@CP-management:0]#

796570686578 · ‎2024-03-15

Thanks for checking! I am going to update the Trusted CA list on monday, since I need confirmation from the customer for every change. Let's see if it will work. If it doesn't, do you have any other advice? Or should I open a case with TAC?

the_rock · ‎2024-03-15

Personally, I would need to see it for myself to draw any further conclusions, if you will. Happy to do remote if you allow it, just message me directly and we can check, not an issue.

Let me know.

Best,

Andy

796570686578 · ‎2024-03-18

I really appreciate the offer, thank you! I know that you are a trusted member of the community and basically part of the CP family but unfortunately company policies won't allow it, so I kindly need to refuse the offer 😞

the_rock · ‎2024-03-18

No problem at all 🙂

Best,

Andy

PhoneBoy · ‎2024-03-15

We use SNI verification to confirm what the client is trying to connect to.
This includes validating the certificate presented by the server by having the gateway connect to the server independently.
Sounds like that process is failing.
You may need to get the TAC involved here: https://help.checkpoint.com

796570686578 · ‎2024-03-18

Thank you, I will check if I can perform a debug on the SNI verification and troubleshoot further, in case I am unsuccessful, I am going to open a TAC case. Will try to update with a solution if there is one.

Are you a member of CheckMates?

Issue with url filtering