This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2025-07-08 09:08 AM

URLF, does not block

Hello, community.

I have URLF and APPC blades active in my FW CP.

The detail is that certain traffics are not blocked, when in fact they should be blocked, according to the explicit rule created in the FW.

For example, the domains thisisgore.com and bestgore.fun, are inside an "Application/Site" added in the URL List part, as independent entries, here I put the example.

*.bestgore.fun
bestgore.fun
thisisgore.com
*.thisisgore.com

The detail is that my rule says, that the segment x.x.132.0/24 when it tries to reach that destination, it must be "blocked", but really it is not blocked, because the segment can reach those resources.

Below I have an almost free rule, that allows that same segment to reach the Internet in general, but this should not happen.

I don't have HTTPS Inspection enabled in FW, and I have a rule at the top of my rule base, where I block QUIC for all my private segments.

Is there any way to debug for web traffic?
Is it necessary to enable HTTPS Inspection when working with URLF and APPC?

Thanks for your comments.

0 Kudos
12 Replies
PhoneBoy
Admin
Admin
‎2025-07-08 10:40 AM

It's not strictly necessary, but it is becoming increasingly more difficult to see where HTTPS traffic is going without using HTTPS Inspection.

What version/JHF are we talking about here?
Using Extended logging on the relevant rules is a good starting point for debugging, which will help determine how the gateway "sees" the traffic.

0 Kudos
Matlu
Advisor
‎2025-07-08 11:57 AM
In response to PhoneBoy

I have the R82 version with JHF Take 19.

Is it normal that when in the log browser you put the domain “thisisgore.com” nothing appears in the logs, but if I search by the IP that resolves that domain, if I find traffic related to that IP?

This is because of a bad definition in the FW rule with the URL Filtering profile?

Thanks for your comments

0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-08 12:24 PM
In response to Matlu

Not every field in the logs is indexed (meaning, you cannot find it by search), so that may be expected.
Seeing the actual rules used to "allow" the traffic and the actual log entries generated (full log cards) will help.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2025-07-08 11:23 PM
In response to Matlu

What level of logging is set in the track field for the matching rule is it detailed or extended?

sk120536: Application Control or URL Filtering does not produce logs in Logs & Monitor view 

CCSM R77/R80/ELITE
the_rock
Legend
Legend
‎2025-07-09 05:40 AM
In response to Chris_Atkinson

Great point Chris, extended logging definitely helps.

Andy

0 Kudos
Matlu
Advisor
‎2025-07-09 06:34 AM
In response to Chris_Atkinson

Currently I have the logs related to URL in Detailed mode.

If I put it in ‘Extended’ mode, can it stay this way permanently? Or is there any risk of high resource consumption?

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-10 10:32 AM
In response to Matlu

The option to log something Detailed/Extended is just like any option in a rule: it'll stay configured that way until you change it.
Extended logging only makes sense if the traffic is subject to HTTPS Inspection, which is the only way to see the full URL.
Otherwise, thinking about it, not sure Extended logging makes any sense here.

However, there are some improvements to HTTPS Inspection logging (relevant here, even if you're not actually using it) in later JHFs that might be worth considering.

0 Kudos
the_rock
Legend
Legend
‎2025-07-08 12:25 PM

You dont have to enable ssl inspection, but without it, you might be limited as far as things you can do with url filtering.

Andy

0 Kudos
Lesley
Authority Authority
Authority
‎2025-07-08 12:33 PM

Is Categorized HTTPS Sites option enabled in Smart Console? 

This the bare minimum that should be enabled.

https://support.checkpoint.com/results/sk/sk182318

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Matlu
Advisor
‎2025-07-08 01:09 PM
In response to Lesley

Hello

Is this option necessary to enable it?

I have made an additional block, where I focus on blocking the category to which the domain thisisgore.com belongs (Tasteless, Low Risk), but the traffic is still allowed and should not be so

I have one rule explicitly blocking the domain, and the other new rule blocking the category but the traffic does not match these rules and goes to my most allowable rule which is almost at the end of my rule base

We don't have control over all users so enabling HTTPS Inspection is not a viable option now.

Thanks for the feedback

0 Kudos
the_rock
Legend
Legend
‎2025-07-08 01:59 PM
In response to Matlu

Hey bro,

It might help, but again, without ssl inspection, you will not get all the benefits.

Andy

0 Kudos
Lesley
Authority Authority
Authority
‎2025-07-09 05:48 AM
In response to Matlu

Yes, you either pick full HTTPS inspection OR Categorized HTTPS Sites option

Or you enable both 

Start to enable Categorized HTTPS Sites option , no changes are needed on users for this. It checks the certificate without full decryption 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events