This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
GigaYang
Collaborator
‎2023-09-10 09:27 PM

URLF Reject

There are many computers in our company that connect to 185.199.110.153, and some of them are blocked by the URLF Blade of the firewall. Some allow connections directly through Firewall Blade.

After checking the IP, in addition to GitHub, many other websites also use this IP. This IP is classified as a malicious website by Check Point, but it is directly connected to 185.199.110.153 through Chrome. What appears is the GitHub web page, and there is no record of Firewall blocking it.

From the URLF's Reject Log, we cannot confirm the actual reason why the connection was blocked. Could you please give me some guidance on how to explain this situation?

 

0911-01.png
Preview file
130 KB
0911-02.png
Preview file
66 KB
0 Kudos
9 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-09-10 10:40 PM

Most likely reputation related, based on something that may have been hosted on "GitHub Pages"

Did you attempt to request recategorization for any legitimate sites impacted?

CCSM R77/R80/ELITE
0 Kudos
GigaYang
Collaborator
‎2023-09-11 12:32 AM
In response to Chris_Atkinson

Github Pages contains both normal and malicious websites.

From the Log screen provided previously, it appears that the user was blocked while connecting directly to 185.199.110.153. But when I directly connected to the IP through Chrome, the firewall did not block it. Since Check Point identified the IP as a malicious website, and we have indeed blocked it in the URLF Policy, no one should be able to connect.

I think ask Check Point to change the website category. It may lead users to accidentally connect to malicious websites on Github Pages.

0911-03.jpg
Preview file
43 KB
0911-04.png
Preview file
11 KB
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-09-11 12:37 AM
In response to GigaYang

Is QUIC traffic blocked or is Chrome leveraging it here?

 

CCSM R77/R80/ELITE
0 Kudos
GigaYang
Collaborator
‎2023-09-11 02:06 AM
In response to Chris_Atkinson

Hi Chris,

There appears to be no QUIC protocol traffic connected to this IP.

0911-05.png
Preview file
14 KB
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-09-11 03:49 AM
In response to GigaYang

That won't be conclusive depending on the Chrome settings used.

When you visit the site do you see the traffic/connection from your source IP?

CCSM R77/R80/ELITE
0 Kudos
GigaYang
Collaborator
‎2023-09-11 03:56 AM
In response to Chris_Atkinson

The connection is allowed by both Firewall and URLF. And we can't see any distinguishing information from the URLF's reject log.

0 Kudos
GigaYang
Collaborator
‎2023-09-11 04:01 AM
In response to GigaYang

We also tested through Edge browser. The result is the same. 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-09-11 04:21 AM
In response to GigaYang

Noted. If you're not seeing rulebase matches as you would expect please open a case with support to review this.

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2023-09-11 05:02 AM
In response to GigaYang

I would investigate this further with TAC.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top