This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gareth_somers
Contributor
‎2021-02-02 03:23 PM
Jump to solution

Random issue with PDFs after upgrade to R80.40

Hi Checkmates,

We have encountered a very strange issue since upgrading to R80.40, the issue was not present on R80.30 but appeared immediately after the upgrade. We randomly cannot open PDFs on some HTTPS sites (cisco.com and undocs.org are 2 examples), when attempting to open the PDFs either in browser (Chrome, Edge or Firefox) or directly save them to disk results in an error which appears to be an SSL negotiation failure. The odd thing is that the issue is only present for PDFs and it's completely random, a PDF will open fine and then on the next refresh it fails. It seems to be about a 75% percent chance that it won't work and it makes no difference if the file is cached (eg had already worked at some point). Every other file type works without problem, this only occurs when accessing PDFs on some HTTPS sites.

For example 

I just clicked this link:

https://www.cisco.com/c/dam/en/us/td/docs/conferencing/ciscoMeetingServer/Deployment_Guide/Version-3...

And the PDF opened (after being scanned by Threat Emulation).

I then refreshed the page and it failed (error in browser is 'We can't open this file, something went wrong') on the next refresh it opens again and then fails the next 3 times and then works again. 

When it fails, the error in dev tools is:

Failed to load resource: net::ERR_SSL_PROTOCOL_ERROR

The same thing happens if I try to download the file without opening in the browser.

The same thing happens on this UN site:

https://undocs.org/en/A/75/5%20(Vol.%20I)

However in this case there is an option to get a Word copy of the document and that always works. Again the SSL issue only occurs for PDF documents, the sites themselves all work fine outside of that. We haven't had reports of any general SSL issues since moving to R80.40 and outside of this particular issue which I experienced myself directly after the upgrade on cisco.com, HTTPS inspection seems to work fine.  Also  I'm only aware of a handful of sites that we have the issue with, most sites with PDFs are fine.

The gateways are R80.40 with HFA 91 installed and most of the Threat Prevention blades enabled, the issue happens on both cluster members. There is nothing logged and I haven't debugged the WSTLSD daemon at this point, just wondering if anyone else has experienced this issue?

Cheers,

Gareth

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-02-02 10:12 PM
Jump to solution

I’d open a TAC case if you haven’t already.

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2021-02-02 10:12 PM
Jump to solution

I’d open a TAC case if you haven’t already.

0 Kudos
Gareth_somers
Contributor
‎2021-02-03 02:13 AM
In response to PhoneBoy
Jump to solution

Thanks, I figured as much, opening a call today.

0 Kudos
Antonis_Hassiot
Contributor
‎2021-06-10 05:46 AM
In response to Gareth_somers
Jump to solution

Has a solution been found here? 

We are having the same issue on 80.30 T226

e.g. https://www.roosemarinelaw.com/RoosePartners%20Casualty%20Newsletter%20-%20Edition%20428%20-%209%20J...

fails to open. 

A.

0 Kudos
Gareth_somers
Contributor
‎2021-06-10 01:31 PM
In response to Antonis_Hassiot
Jump to solution

TAC closed out our call as a known issue, no fix available yet. We ended up disabling SSL inspection for a number of sites where we believe the threat to be low and then asking our users to put up with hitting refresh a bunch of times until it works for other sites (which hasn't gone down well). I would downgrade to R80.30 but we were suffering with a memory leak with the TED process that R80.40 has fixed so we're kind of between a rock and a hard place.

I would suggest opening a call with TAC, they will probably close it out but the more users that report it the better. I've been told that it's with Checkpoint R&D and a good few customers have reported this issue on R80.40.

0 Kudos
Antonis_Hassiot
Contributor
‎2021-06-10 11:58 PM
In response to Gareth_somers
Jump to solution

Thanks Gareth,

Odd thing is that we are on 80.30, maybe on a later HF than you were at the time you upgraded. I will open a case. 

 

A.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top