This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Arturxr
Explorer
2 weeks ago
Jump to solution

Slow page loading issues and errors Internal system error in HTTPS Inspection due to categorization

Good afternoon, a few days ago, a problem with slow page loading appeared. Sometimes when loading a page, an error appears and after a couple of seconds the page loads completely.


At this point, the following errors may appear in the firewall logs:

Internal system error in HTTPS Inspection due to categorization service timeout


It turns out that the problem is not constant and appears from time to time, but there is no load on the CPU

We restarted the RAD process and there seemed to be no errors for a while, but then they continued to appear in the logs from time to time.

Have you encountered this behavior before?
We encountered this for the first time, since usually before, when we had problems with categorization, there was no access to the Internet at all, but now only at a certain time the pages start to load slowly

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
Jump to solution

This is what I meant, but here are screenshots, just in case.

https://community.checkpoint.com/t5/General-Topics/https-inspection-tip-feedback-suggestion/m-p/2530...

 

Screenshot_2.png

Screenshot_3.png

Screenshot_4.png

Screenshot_5.png

Screenshot_1.png

     

Best,
Andy

View solution in original post

0 Kudos
21 Replies
PhoneBoy
Admin
Admin
2 weeks ago
Jump to solution

The behavior sounds consistent with issues related to RAD.
There are debug steps for it here: https://support.checkpoint.com/results/sk/sk92743

It's possible this may be fixed by applying the latest recommended JHF for your release.
More than likely, TAC will need to be involved.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
Jump to solution

Out of curioisity, how are blade settings configured in smart console? Will send screenshot later of what Im referring to.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
Jump to solution

This is what I meant, but here are screenshots, just in case.

https://community.checkpoint.com/t5/General-Topics/https-inspection-tip-feedback-suggestion/m-p/2530...

 

Screenshot_2.png

Screenshot_3.png

Screenshot_4.png

Screenshot_5.png

Screenshot_1.png

     

Best,
Andy
0 Kudos
Arturxr
Explorer
a week ago
In response to the_rock
Jump to solution

mode: hold in http inspection and app control

http inspection: fail open
app control: fail close

enforce safe search +

 

 

 

 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
a week ago
In response to Arturxr
Jump to solution

I would try test it with settings I outlined. I honestly always found works best that way.

Best,
Andy
0 Kudos
Arturxr
Explorer
a week ago
In response to the_rock
Jump to solution

We set it up similarly and we stopped getting errors and it seems like resources are loading faster. We'll monitor it.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
a week ago
In response to Arturxr
Jump to solution

Glad it helped.

Best,
Andy
0 Kudos
Arturxr
Explorer
Friday
In response to the_rock
Jump to solution


Unfortunately, there are still some problems with the connection download speed. In the logs, we see errors like "The probe detected that this destination cannot be inspected and its identity cannot be verified due to a TLS alert (TLS alert: protocol_version)"

The probe sent to destination has encountered a general error

The probe was unable to establish a TCP connection to the destination

Internal system error in HTTPS Inspection (Error Code: 2)

 

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Friday
In response to Arturxr
Jump to solution

Out of interest are you already bypassing sites known to have issues with TLS inspection using the relevant updatable objects?

CCSM R77/R80/ELITE
0 Kudos
Arturxr
Explorer
Friday
In response to Chris_Atkinson
Jump to solution

But what's strange is that the problem only concerns Wi-Fi networks; no other problems have been detected yet.

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Friday
In response to Arturxr
Jump to solution

Are we talking about BYOD vs Corp Wi-Fi clients or both?

CCSM R77/R80/ELITE
0 Kudos
Arturxr
Explorer
Friday
In response to Chris_Atkinson
Jump to solution


We have a bypass rule to the "internet" object, which contains all external subnet ranges.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Friday
In response to Arturxr
Jump to solution

Here is something I would test...disable quic in the policy and if still no progress, disable it in the browser itself. For example, for chrome, chrome://flags/ then search for quic and disable it. Restart browser and test.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
Friday
In response to the_rock
Jump to solution

Example from my lab, @Arturxr 

Screenshot_3.png

Screenshot_4.png

  

 

 

Best,
Andy
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
a week ago
In response to Arturxr
Jump to solution

The "Hold" mode causes this. I most often see this behavior when somebody enables URL filtering on an internal firewall which isn't allowed to talk out to the Internet. Suddenly all kinds of traffic has six seconds of latency per pass added to opening the connection (e.g, let's say clients go through the firewall to hit a load balancer, then the load balancer goes through the firewall again to get to the servers; that's two passes, so 12 seconds of latency).

Switching to Background provides immediate relief. Ultimately, you need to figure out why the firewall sometimes can't reach the categorization service.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
a week ago
In response to Bob_Zimmerman
Jump to solution

I always found block and background options work the best.

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
2 weeks ago
Jump to solution

Do you have any rules in your HTTPS inspection policy with 'Any' or non-HTTP based services?

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
In response to Chris_Atkinson
Jump to solution

Definitely good point Chris. I saw that be an issue before.

Best,
Andy
0 Kudos
Arturxr
Explorer
a week ago
In response to Chris_Atkinson
Jump to solution

We have a couple of rules from hosts to specific resources with "any" in services. Could this also affect traffic that doesn't fall under this rule?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
a week ago
In response to Arturxr
Jump to solution

100% it could.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
a week ago
Jump to solution

One thing you can also test is add website(s) with the issue to bypass rule and see if it helps.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events