This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
MVP Silver
MVP Silver
‎2024-01-01 06:47 AM

Usercheck acting weird

Hi

On my lab I am trying to use usercheck alongside with HTTPS inspection:

 

1.PNG

Rule 11.2

When trying to connect to Cnn.com a notification comes up and everything is fine and work as expected.

When try to connect to Youtube or facebook i get "this site can't be reached"

when checking the logs i see that youtube and facebook are rejected for a reason that i don't know:

2.PNG

I don't know why rule 11.2 is rejecting youtube and facebook when the action is inform and cnn is working!

this is how HTTPS inspection is configured:

4.PNG

0 Kudos
6 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2024-01-01 07:10 AM

Your browser (probably Chrome) has pinned HTTPS certificates for popular sites such as facebook and definitely youtube which is a google-owed site.  In these cases the browser itself will block the display of the UserCheck as a man-in-the-middle attack, which it most certainly is.  Try a few different browsers.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-01-01 07:23 AM
In response to Timothy_Hall

What is the purpose of Userchek then, if Chrome (which is the most used browser) will block it?

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-01-01 01:57 PM
In response to Moudar

Chrome will only block UserChecks for sites whose certificates are pinned in the browser, which will always include google-owned sites (youtube, google.com, etc) and key major sites like fakebook.  Chrome is sensing what it perceives to be a man in the middle attack and blocking it, and there is no way to disable this that I know of.

The purpose of UserChecks is attempting to notify the user that their connection was blocked (it is not a connectivity/DNS problem), and provide a reference number they can use when trying to find the specific block event in the logs.  However there are a variety of technical situations where a UserCheck cannot be sent to the user, or it is sent but the user cannot see it.  You have run into one of those situations.  Another example: any blocks/drops by the IPS blade will never send a UserCheck as IPS does not support that feature at all.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-01-01 02:33 PM
In response to Moudar

Make sure user check is enabled for all interfaces under gateway object properties (portal -> user check) and test. if same issue, try maybe resetting Chroms browser and see if same happens.

Happy New Year.

Best,

Andy

Best,
Andy
0 Kudos
Marcel_Gramalla
Advisor
‎2024-01-02 02:19 AM

The issue in your policy is that Facebook and YouTube is not HTTPS inspected but bypassed as shown in your screenshot. This is because you use the "HTTPS services - bypass" object where Facebook is included (and bypassed). You can find all domains etc. in this SK HTTPS Inspection bypass list object (checkpoint.com)

And if your gateway doesn't inspect the traffic it can't display the UserCheck page and simply rejects the connection which is to be expected.

the_rock
MVP Platinum
MVP Platinum
‎2024-01-02 05:52 AM
In response to Marcel_Gramalla

Thats an excellent point, did not see that from the screenshots the first time.

Best,

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events