This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-11-08 11:14 AM

Traffic blocked by TP

Hello,

I currently have HTTPS Inspection || AntiBot || Antivirus enabled, on my ClusterXL HA.

The problem is that my local network cannot reach a URL that is on the Internet.

What I see in the logs is that the traffic to the URL is "activating" the AntiBot blade.

In the Cluster object in the SmartConsole, the Antibot&Antivirus section is set to "Detect Only" mode, but there is a rule in TP where the associated profile is the "Optimized" profile.

TP3.pngTP2.pngTP1.png

So, can the Cluster block the traffic ignoring the "Detect Only", and take more "priority" to the rule defined in the TP?

I share a log where you can see better the traffic that I expose.

Thanks

Preview file
3 KB
0 Kudos
6 Replies
Lloyd_Braun
Collaborator
‎2023-11-08 02:08 PM

That attached log shows 'detect' action and a bunch of bytes tx and rx.  Maybe the site is not compatible/getting broken by HTTPS inspection and it is not the threat policy directly dropping it?  Could try to make a lower level exception/bypass of the threat policy, based on destination IP, to see if the site works solely with HTTPS inspection enabled.

0 Kudos
Matlu
Advisor
‎2023-11-09 05:01 AM
In response to Lloyd_Braun

Hello,

Your recommendation is to make an exception policy in the TP section?

Or is it to make a Bypass in the HTTPS Inspection section?

Could you give me an example, please?

Regards

0 Kudos
Lloyd_Braun
Collaborator
‎2023-11-09 05:53 AM
In response to Matlu

I was thinking a TP exception based on destination IP address, then if it is still broken, it would appear to be HTTPS inspection causing the issue.  You could also do HTTPS inspection bypass based on destination IP- I would assume that would fix it, but that also would blind the TP blade so you wouldn't know 100% if it was TP or HTTPSi that was breaking it. 

0 Kudos
Matlu
Advisor
‎2023-11-09 05:59 AM
In response to Lloyd_Braun

I have the impression, that it is the blade of the Antibot.

I am not sure.

The Cluster object, in the "Antibot/Antivirus" section is set to DETECT ONLY, but other than that, we have an explicit rule in the TP section, and I'm not sure, if the CLUSTER, omits its global setting in the object and gives more importance to what is "explicitly" defined by rules.

The explicit TP rule has an OPTIMIZED profile, and that profile, as I see, has several "PREVENT" enabled.

Maybe this could be the root-cause of the problem.

I am not sure about this behavior.

0 Kudos
_Val_
Admin
Admin
‎2023-11-09 06:09 AM

In your policy, detect is set for low confidence protections only. Why do you think that Anti-Bot is on detect only fully? Does not seem to be the case, if looking on the screenshot above. The log shows "High" confidence level, and it is set to Prevent

0 Kudos
the_rock
Legend
Legend
‎2023-11-09 06:36 AM

I would say making an exception is your best bet.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events