This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Arturxr
Explorer
Friday

Slow page loading issues and errors Internal system error in HTTPS Inspection due to categorization

Good afternoon, a few days ago, a problem with slow page loading appeared. Sometimes when loading a page, an error appears and after a couple of seconds the page loads completely.


At this point, the following errors may appear in the firewall logs:

Internal system error in HTTPS Inspection due to categorization service timeout


It turns out that the problem is not constant and appears from time to time, but there is no load on the CPU

We restarted the RAD process and there seemed to be no errors for a while, but then they continued to appear in the logs from time to time.

Have you encountered this behavior before?
We encountered this for the first time, since usually before, when we had problems with categorization, there was no access to the Internet at all, but now only at a certain time the pages start to load slowly

0 Kudos
12 Replies
PhoneBoy
Admin
Admin
Friday

The behavior sounds consistent with issues related to RAD.
There are debug steps for it here: https://support.checkpoint.com/results/sk/sk92743

It's possible this may be fixed by applying the latest recommended JHF for your release.
More than likely, TAC will need to be involved.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Saturday

Out of curioisity, how are blade settings configured in smart console? Will send screenshot later of what Im referring to.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
Saturday

This is what I meant, but here are screenshots, just in case.

https://community.checkpoint.com/t5/General-Topics/https-inspection-tip-feedback-suggestion/m-p/2530...

 

Screenshot_2.png

Screenshot_3.png

Screenshot_4.png

Screenshot_5.png

Screenshot_1.png

     

Best,
Andy
0 Kudos
Arturxr
Explorer
Sunday
In response to the_rock

mode: hold in http inspection and app control

http inspection: fail open
app control: fail close

enforce safe search +

 

 

 

 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
yesterday
In response to Arturxr

I would try test it with settings I outlined. I honestly always found works best that way.

Best,
Andy
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
yesterday
In response to Arturxr

The "Hold" mode causes this. I most often see this behavior when somebody enables URL filtering on an internal firewall which isn't allowed to talk out to the Internet. Suddenly all kinds of traffic has six seconds of latency per pass added to opening the connection (e.g, let's say clients go through the firewall to hit a load balancer, then the load balancer goes through the firewall again to get to the servers; that's two passes, so 12 seconds of latency).

Switching to Background provides immediate relief. Ultimately, you need to figure out why the firewall sometimes can't reach the categorization service.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
yesterday
In response to Bob_Zimmerman

I always found block and background options work the best.

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Saturday

Do you have any rules in your HTTPS inspection policy with 'Any' or non-HTTP based services?

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Platinum
MVP Platinum
Saturday
In response to Chris_Atkinson

Definitely good point Chris. I saw that be an issue before.

Best,
Andy
0 Kudos
Arturxr
Explorer
Sunday
In response to Chris_Atkinson

We have a couple of rules from hosts to specific resources with "any" in services. Could this also affect traffic that doesn't fall under this rule?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
yesterday
In response to Arturxr

100% it could.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
Sunday

One thing you can also test is add website(s) with the issue to bypass rule and see if it helps.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events