Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
yannick_scorza
Explorer

url filtering categorization problem

Hello,

I'm in R81.10

currently I have a rule in source "any" and destination "any" which matches url-category "spyware/malware" , action "drop" and extended log.

below this rule I have another old rule that matches manually entered domains, source "any", destination: object group with many domains objets inside,  action "drop" and extended logs

The objective of the creation of the first rule is to delete the rule below and its 300 objects and only rely on the URL categories for drop.

the problem is that I see that some domains are detected by the second rule and not by the first. when I check one of these domains on https://urlcat.checkpoint.com/urlcat/main.htm I note that the domain is considered as spyware and should therefore be detected by the first rule.

However, the first rule works. some other domains considered spyware are well detected, a session log is present and defines the risk and the category.

I specify that I have defined the url category mentioned above in "any protocol" in general parameters of the category

 

exemple for domain "backupsec.com" : 

it is considered as Spyware / Malicious Sites, General and High Risk on Checkpoint website but it still goes through the second rule because it exists as a "domain" object.

the connection log of the second rule indicates the destination ip and at the very bottom of the log detail it is indicated that this refers to the domain backupsec.com

Since the firewall detects the domain and makes the ip relation, I do not understand why, given that this domain is considered as spyware it is not detected by the first rule.

thanks for your help

 

0 Kudos
2 Replies
_Val_
Admin
Admin

Do you have HTTPS Inspection enabled? If not, TLS connections will not be categorized.

0 Kudos
yannick_scorza
Explorer

Hi,

i don't have HTTPS Inspection enabled but HTTPS Categorization it is.

I think i solved the problem.

in reality the user tries to join a website other than "backupsec.com", however he has the same ip because he is hosted on a cluster which shares his ip for several websites. As the "backupsec.com" domain is registered as an object in the console, a DNS resolution is made by the firewall and it gives as result the domain that matches the ip encountered. This makes it a false positive.
To summarize, the user has never tried to join "backupsec.com" but the firewall matches the connection because the ip is identical because it is shared.

at least that's what I deduce after analysis

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events