This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Lloyd_Braun
Collaborator
‎2024-01-23 10:33 AM

brief URLF database issue earlier today? lots of 'Inactive Sites' categorizations

Is anyone else seeing a lot of 'Inactive Sites' categorizations today?  Looking up the site on the Check Point URL lookup, and the site seems to be categorized correctly.

 

I can hit the site from one of our edge clusters, but not the other, it appears to be cached as 'Inactive Sites' there. 

 

I have seen this with several websites today, like the URLF database was temporarily returning an 'Inactive Sites' categorization for a brief time, and stuck it in the cache on the gateway. Log history shows these sites categorized correctly through the gateways in the last few days.

0 Kudos
10 Replies
the_rock
Legend
Legend
‎2024-01-23 11:12 AM

I have R81.20 https inspection lab, had not seen this issue today and I tested bunch of sites.

Best,

Andy

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2024-01-23 12:30 PM

No issues here. And what do you mean stuck in cache? You tried to clear it? I think the most common way is to force an update to the gateways. After the incorrect category is changed in the cloud of course. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Lloyd_Braun
Collaborator
‎2024-01-23 12:56 PM
In response to Lesley

I don't want to make that dbedit change to force the cache to clear upon every policy installation.  Though I am considering it. Would be much better if we could just 'fw tab -x' a cache table to clear it, but that does not appear to be possible anymore.

A few sites that displayed this behavior today, seemed to be categorized as Inactive between 8am-12:45 eastern time:

bellmasonjars.com
trabble.com
viewcitation.com
govplus.com

I have checked history on some other sites and they were categorized correctly a few days to a week ago, then were 'Inactive' for a period of time today.

Maybe a one off, or I will have to dig in with support if the behavior continues.

 

Thanks!

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2024-01-23 01:38 PM
In response to Lloyd_Braun

Normal procedure would be:

whitelist false-positive -> https://support.checkpoint.com/results/sk/sk98489

report to Check Point -> same SK

wait to be fixed and check if it is https://urlcat.checkpoint.com/urlcat/

force update on gateways (cache clear not needed) or wait for next update interval (is set in Smartconsole). 

-------
If you like this post please give a thumbs up(kudo)! 🙂
the_rock
Legend
Legend
‎2024-01-23 01:43 PM
In response to Lesley

Thats excellent advice @Lesley 

0 Kudos
Lloyd_Braun
Collaborator
‎2024-01-23 02:15 PM
In response to Lesley

These were already classified correctly by Check Point by the time the service ticket was received, which is why I posted this, seemed like unusual behavior. At that point the datacenter that never saw the request classifies the site properly, while it is stuck in cache at the datacenter that the initial request traversed.

 

What do you mean by 'force update on gateways' ?   Are you saying reloading local database files (#rad_admin urlf update $FWDIR/appi/update/urlf_db.bin)  will clear the URLF cache so the categorization override steps are unnecessary?



0 Kudos
the_rock
Legend
Legend
‎2024-01-23 02:41 PM
In response to Lloyd_Braun

I think what @Lesley meant was to update the urlf database manually from smart console.

Andy

0 Kudos
Lloyd_Braun
Collaborator
‎2024-01-24 05:38 AM
In response to the_rock

I have a 'Management Update' button that will immediately udpate management but the Security Gateway Updates are scheduled for every 2 hours, no way to force them from r81.20 smartconsole that I'm seeing.

0 Kudos
the_rock
Legend
Legend
‎2024-01-24 05:43 AM
In response to Lloyd_Braun

Just click exactly that

Andy

Screenshot_1.png

0 Kudos
the_rock
Legend
Legend
‎2024-01-24 05:49 AM
In response to Lloyd_Braun

This is from my Azure lab, when I click on that option

Andy

 

Screenshot_2.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top