Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Troy_Yeske
Employee Alumnus
Employee Alumnus
Jump to solution

Understanding url filtering app control on https sites...

Trying to understand some behavior:  we have an access control rule that blocks uncategorized sites.  Below site is visited and access to it is blocked as uncategorized, it is an https site and yet is categorized as business/economy.   The destination is visible via the logs as seen below, yet eventhough the destination is recognized, URL filtering still says it is uncategorized.  I'm assuming this is because it is https and the IP address only is scrutinized but just wanted to understand why, if the destination is visible, it isn't categorized as such.

 

second.JPGfirst flag.JPG

0 Kudos
1 Solution

Accepted Solutions
Tal_Ben_Avraham
Employee
Employee

Hi Troy,

In your example below the domain you see in the log is by reverse lookup of the destination IP. It is not used for URL categorization.

For SSL traffic SNI (R80.30 and higher)/Certificate CN is used for URL categorization (in case HTTPS Categorization is enabled and SSL inspection is disabled).

We have tested this in our labs and traffic to oati.com is categorized as Buisness/Economy.

I suggest you retest it. If still an issue please open a ticket to support.

*The only scenario I can think of where we will not categorize according to SNI/CN is when certificate is invalid (or SNI is not part of certificate SAN).

Thanks,

Tal

 

View solution in original post

0 Kudos
6 Replies
Neil_ARZ
Participant
checkpoint may not categorized some encrypted HTTPS traffic ... try to tick this In Application & Url Filtering Settings under Url Filtering -> Categorize HTTPS websites. else I think you need to enable HTTPS inspection for outbound,,
0 Kudos
Troy_Yeske
Employee Alumnus
Employee Alumnus

Thanks, I do have the categorize https sites check box enabled.  Just wondering why the destination URL is identified in the logs, the site is categorized by CHKPT, yet it is still marked 'uncategorized'.

0 Kudos
Neil_ARZ
Participant

For me the last resort would be activating HTTPS inspection for Outbound. 

HTTPS traffic was encrypted and  Checkpoint was unable to categorized the sites because of it .

If https inspection is active with URL and App blade, I am sure it will have an effect on URL categorization. . 

 

0 Kudos
PhoneBoy
Admin
Admin
Did you check that the gateway can reach the Check Point cloud?
sk83520 and/or https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/sk83520-how-to-check-connectivity...
0 Kudos
Tal_Ben_Avraham
Employee
Employee

Hi Troy,

In your example below the domain you see in the log is by reverse lookup of the destination IP. It is not used for URL categorization.

For SSL traffic SNI (R80.30 and higher)/Certificate CN is used for URL categorization (in case HTTPS Categorization is enabled and SSL inspection is disabled).

We have tested this in our labs and traffic to oati.com is categorized as Buisness/Economy.

I suggest you retest it. If still an issue please open a ticket to support.

*The only scenario I can think of where we will not categorize according to SNI/CN is when certificate is invalid (or SNI is not part of certificate SAN).

Thanks,

Tal

 

0 Kudos
Troy_Yeske
Employee Alumnus
Employee Alumnus

Note:  it was explained to me that the www.ciso.oati.com that shows up in the destination field is the result of a rdns query and we don't base categorization off that naturally, hence the 'uncategorized' categorization from URLF/App Control

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events