This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
VooDooChris
Contributor
‎2020-12-31 01:41 AM

URL Filtering Troubleshooting Help

Hi,

We’re currently looking to set up a set of rules that allow a server to access a very specific set of URL’s. Web Application and Web category filtering aren’t an option as they’re too broad a control and neither is just using a security blade rule as the URL’s are cloud hosted and so the underlying IP addresses are likely to be fluid.

By (simplified) example, we want to limit the server to be able to access a.site.com & b.site.com but not c.site.com, etc. We’ve set up a Security blade rule for the server to allow https out to “all” and have set up an Application blade URL filtering rule to allow the server access to a.site.com & b.site.com. Directly underneath that in the ruleset we’ve set up a block “all” rule for the server which I believe should result in the desired control.

The problem is that some of the traffic we expect to get through the allow rule get's blocked by the block rule and when we look at the firewall log entry for the blocked traffic there appears to be no rational given for the block e.g. it would be great to see something like “Blocked due to requested URL = c.site.com” or “Blocked due to cert CN = z.site.com” . We can see from examination of the server’s DNS client logs that sometime when the traffic is blocked it’s because the server is sometimes being redirected to other URL’s, but it would be good to understand the exact reason why the firewall has blocked the traffic and not have to deduce it from other sources of evidence. We’ve tried setting up extended logging on the rules but this hasn’t given us any more detailed information.

So, my question is, does anyone know if it’s possible to see more detailed information for traffic blocked by the application blade?

Thanks

Chris

0 Kudos
30 Replies
Kandler
Explorer
‎2021-01-21 08:00 AM

Hi VooDooChris,

 

i also had such failures with several R80.x releases, each had small different beheaviours in URL Filtering. I think the Object "Internet" has got litte changes during the releases, which can lead to failures after upgrades.

For example in R80.30 (we are using HTTPS Inspection, this may could lead to different results):

Source: Office destination: Any Application: Own Application with FQDN + SSLv3/HTTPS

-> Was allowing only access to destinations in my Own Application, no other Internet Access with sslv3/https

 

With r81:

With Destination Any -> SSLv3/HTTPS was allowing more Internet Access than expected and contained in my own Application

With Destination Internet -> Only my own application was allowed

Without sslv3/https -> Traffic was not detected as own application and got blocked because https/sslv3

 

Some other thoughts on this topic, but may not relevant for your issue.

When using an Proxy, it may be necessary to add the Proxy IP in addition to "Internet" as destination.

When using non standard Webports, they could be also missing in Application Control.

 

best regards,

Sebastian

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events