Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
B_P
Advisor

Uncategorized URL Allowed By CheckPoint???

Can someone tell me why the transfercarenacka.com URL / domain was allowed when we did not allow the "Uncategorized" category? We allow the "Computers / Internet" category which contabo.net matches, but you can see that transfercarenacka.com is uncategorized by URL filtering in the screenshot below. So why would it be allowed? Under Matched Rules, it shows that it matched our our whitelist rule which does NOT include the "Uncategorized" category.

CheckPoint URL Filtering - Uncategorized Allowed.png

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

What is the precise rule allowing this traffic?
Also what is the version/JHF level of the gateway?
It may be the CN of the site certificate is allowed but you are not using a version that supports SNI verification.

0 Kudos
B_P
Advisor


@PhoneBoy wrote:

What is the precise rule allowing this traffic?


The Source is a bunch of different networks, the Destination is the "Internet" and the Services & Application is a group containing various URL Categories.


@PhoneBoy wrote:

Also what is the version/JHF level of the gateway?


R80.40 JHF 118


@PhoneBoy wrote:

It may be the CN of the site certificate is allowed but you are not using a version that supports SNI verification.


The gateway already identified the website as an Uncategorized URL (as you can see in the picture above). Are you suggesting that the Firewall will ignore its own categorization?

BTW, we got the desired behavior by adding another rule directly above the original rule (as described above), but made the Services & Application be Uncategorized and Action set to Drop. Which that absolutely should not have been necessary. The gateway was otherwise allowing stuff it should not have been. How can this be?

0 Kudos
PhoneBoy
Admin
Admin

If your requirement is to drop web traffic to uncategorized sites, you may need an explicit rule to drop it.
The reason why is that for Application Control/URL Filtering to work, traffic has to be permitted to pass from the specified source/destination/service ports.
Only after some traffic has passed can traffic be properly classified, matched to the relevant rule, and the appropriate action applied.

Note that identification is a continual process.
A given flow can initially be allowed because it looks like an allowed application.
Once it looks like an explicitly unallowed application, the flow will be dropped.

If the connection terminates before an identification can occur, then the traffic will ultimately be allowed.
That could be what's happening here, but I'd need to see the full log card, and/or do some additional troubleshooting that would likely be better done by the TAC versus in a public forum.

Regardless, you're better off always including an explicit rule to drop uncategorized sites if that is part of your requirements.
It generally doesn't take more than a few kilobytes of traffic to identify these connections.

B_P
Advisor


@PhoneBoy wrote:

Only after some traffic has passed can traffic be properly classified, matched to the relevant rule, and the appropriate action applied.

A given flow can initially be allowed because it looks like an allowed application.
Once it looks like an explicitly unallowed application, the flow will be dropped.


I'm aware of that, but if you sit there hitting refresh a bunch of times and other computers access the website as well, the firewall should know the site should be blocked, no? I've seen in the past where a website may load the first time, but subsequent hits will not; which I would be ok with that. But in this scenario, it just continually allowed it.


@PhoneBoy wrote:

Regardless, you're better off always including an explicit rule to drop uncategorized sites if that is part of your requirements.


If you do not allow something, it should not be allowed. If the firewall is allowing stuff it should not be, that is kind of a problem, no?

0 Kudos
PhoneBoy
Admin
Admin

Like I said, it may be that the traffic initially looks like something your rules allow for.
This would require some additional troubleshooting and information.
I'd probably start with this: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
But I really recommend bringing this through the TAC.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events