If you are not using HTTPS inspection you should atleast do the light version of it.

Is this enabled? In Application & Url Filtering Settings under Url Filtering -> Categorize HTTPS websites.

Hello @Lesley ,

Yes, it is configured as you mentioned, but even then, the behavior's the same. I can block YouTube as per corporate policy, but not porn sites.

So to make summary,

websites get's blocked in all browsers but not in Chrome? Is it only this website that does not get blocked in Chrome or also others?

What version and jumbo take? 

Its somewhat a hit or miss on the browsers, but to summarize:

• I can't block pornography via category 
• I can block specific pornographic URLs via custom application/site
• I confirmed that Application blocking works as we blocked Youtube as an application
• I can confirm that I can reliably block pornographic websites through my custom application/site on Mozilla Firefox, but not on Google Chrome and Microsoft Edge

The target that we want to achieve is to successfully block categories via the blade, and not rely on custom applications/sites.

The internal Firewall is running on: R81.10 take 335 

Please see the cpinfo -y all result

Hello Lesley,

This is noted, I'll update you once the JHF is installed.

For the chrome to run without HTTP2, I need to read it first.

You might be running into sk182318.

You don't have any hotfixes installed and the solution for this behaviour on Chrome/edge is located in Take 150.

Hello @Alex- ,

I'm currently downloading JHF T-156 manually, as I just realized that my internal firewall doesn't have internet access.

I'll upload it and wait for the maintenance window to push the JHF installation.

Your firewall must have internet access for URL Filtering to work reliably, as URLs seen are checked in real time via the resource advisor to match against categories. 

But how was it that application control works as intended? I can reliably block Youtube and Dropbox. Either way I'll try to resolve the internet connectivity issue for this, as the behavior is unusual as well. LAN users, which runs on the same IP segment as my internal firewall, has internet connection, but not my firewall.

Application Control works off the database that the gateway has downloaded. It presumably has one from before the re-architecture that's still working ok, but it is likely not getting updates. 

I just confirmed that my blade is updating as intended: 

Those updates are the management server only, the gateways fetch their own updates. If they are struggling they should throw an error that you can see in the Gateways and Servers view, per gateway.

It is confirmed that the gateway attempt failed:

I know this is not related to the main thread, but I want to ask as I'm troubleshooting the connectivity issue for my internal firewall. I'm currently pinging via clish, and while doing fw ctl zdebug + drop on my external firewall, I can't see anything.

When checking the logs through SmartConsole, I see them as allowed but through the implied rule.

I just want to know, I have the hunch that this is the cause, and would want to know if there's a way to make it not go through the rule so that a firewall rule will accommodate the traffic? 

Whether it's an implied rule or an explicit rule, the traffic is being accepted through the policy. If you're not seeing anything in the zdebug + drop then it's not being dropped - go simpler, can you see it in a tcpdump on the external gateway? On both the internal side and the external side of it? Is the external gateway hideNATing the connections?

This thread provides the missing detail.

Internal Firewall Has No Internet Connection, But ... - Check Point CheckMates

Do you see UDP/443 or Quic traffic in your logs?

Hello @Chris_Atkinson ,

Yes there are quic traffic present in the logs and its being blocked by a policy.