This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Troy_Yeske
Employee Alumnus
Employee Alumnus
‎2019-07-22 02:57 PM
Jump to solution

Understanding url filtering app control on https sites...

Trying to understand some behavior:  we have an access control rule that blocks uncategorized sites.  Below site is visited and access to it is blocked as uncategorized, it is an https site and yet is categorized as business/economy.   The destination is visible via the logs as seen below, yet eventhough the destination is recognized, URL filtering still says it is uncategorized.  I'm assuming this is because it is https and the IP address only is scrutinized but just wanted to understand why, if the destination is visible, it isn't categorized as such.

 

second.JPGfirst flag.JPG

0 Kudos
1 Solution

Accepted Solutions
Tal_Ben_Avraham
Employee
Employee
‎2019-07-24 01:02 AM
Jump to solution

Hi Troy,

In your example below the domain you see in the log is by reverse lookup of the destination IP. It is not used for URL categorization.

For SSL traffic SNI (R80.30 and higher)/Certificate CN is used for URL categorization (in case HTTPS Categorization is enabled and SSL inspection is disabled).

We have tested this in our labs and traffic to oati.com is categorized as Buisness/Economy.

I suggest you retest it. If still an issue please open a ticket to support.

*The only scenario I can think of where we will not categorize according to SNI/CN is when certificate is invalid (or SNI is not part of certificate SAN).

Thanks,

Tal

 

View solution in original post

0 Kudos
6 Replies
Neil_ARZ
Participant
‎2019-07-22 05:05 PM
Jump to solution

checkpoint may not categorized some encrypted HTTPS traffic ... try to tick this In Application & Url Filtering Settings under Url Filtering -> Categorize HTTPS websites. else I think you need to enable HTTPS inspection for outbound,,
0 Kudos
Troy_Yeske
Employee Alumnus
Employee Alumnus
‎2019-07-23 04:54 AM
In response to Neil_ARZ
Jump to solution

Thanks, I do have the categorize https sites check box enabled.  Just wondering why the destination URL is identified in the logs, the site is categorized by CHKPT, yet it is still marked 'uncategorized'.

0 Kudos
Neil_ARZ
Participant
‎2019-07-23 09:05 AM
In response to Troy_Yeske
Jump to solution

For me the last resort would be activating HTTPS inspection for Outbound. 

HTTPS traffic was encrypted and  Checkpoint was unable to categorized the sites because of it .

If https inspection is active with URL and App blade, I am sure it will have an effect on URL categorization. . 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-23 04:22 PM
Jump to solution

Did you check that the gateway can reach the Check Point cloud?
sk83520 and/or https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/sk83520-how-to-check-connectivity...
0 Kudos
Tal_Ben_Avraham
Employee
Employee
‎2019-07-24 01:02 AM
Jump to solution

Hi Troy,

In your example below the domain you see in the log is by reverse lookup of the destination IP. It is not used for URL categorization.

For SSL traffic SNI (R80.30 and higher)/Certificate CN is used for URL categorization (in case HTTPS Categorization is enabled and SSL inspection is disabled).

We have tested this in our labs and traffic to oati.com is categorized as Buisness/Economy.

I suggest you retest it. If still an issue please open a ticket to support.

*The only scenario I can think of where we will not categorize according to SNI/CN is when certificate is invalid (or SNI is not part of certificate SAN).

Thanks,

Tal

 

0 Kudos
Troy_Yeske
Employee Alumnus
Employee Alumnus
‎2019-07-25 07:12 AM
In response to Tal_Ben_Avraham
Jump to solution

Note:  it was explained to me that the www.ciso.oati.com that shows up in the destination field is the result of a rdns query and we don't base categorization off that naturally, hence the 'uncategorized' categorization from URLF/App Control

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events