This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AB136785
Explorer
Tuesday

Inconsistent URL filtering

Firewall: 1900/2000 Appliance running version R81.10 with Application Control and URL Filtering enabled, as well as HTTPS-inspection. Obligatory heads-up, I am not an expert (or even intermediate) when it comes to networking and checkpoint.

Hi there checkmates,

We're trying to configure a firewall for a highly-regulated, mostly closed environment (meaning only specific software and addresses may be accessed from the internal network). To this end, we try to regulate access mostly based on custom applications/sites and built-in updatable objects. However, we've found something that seems quite inconsistent; the exact same url that is both allowed and blocked in two separate instances.

We are allowing traffic to the source 'api\.github\.com/repos/hashicorp/packer-plugin-vsphere/git/matching-refs/tags.*' (defined as a regex), but this is what we observed below:

checkpoint_weird_filtering.png

Both these instances happen near-simultaneously. The rules were not changed in that short time (we've checked). We did see that both instances went to a different host (140.82.121.3 and ".6 respectively), but all hosts are allowed in this rule as long as the url matches, so this should not make a difference. Furthermore, in the Policy menu it shows both as blocked by the cleanup rule, even though one is still allowed. Does anyone here have an inkling as to what is going on here?

0 Kudos
4 Replies
Lesley
MVP Gold
MVP Gold
Tuesday

Details tab of both screenshot would be to get better understanding.

My guess is, first some data needs to pass / be allowed before the firewall can make the good policy decision.

Could also be that the website has not yet been categorized and therefore is not present in the cache of the gateway. There are 2 settings, hold and background. Default is background and hold is more strict. It will hold the connection until the gateway gets the message from the cloud what category the URL is. Background is, first connections are allowed, in the mean time gw connects to cloud and gets the info and from that point it will be blocked. The data will then be added to gateway cache. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
the_rock
MVP Diamond
MVP Diamond
Tuesday

I see the answer to your question on the left screenshot. Yes, shows accepted on network layer, but then shows inspect, which is on ssl inspection policy, which would essentially block it.

Best,
Andy
0 Kudos
the_rock
MVP Diamond
MVP Diamond
Tuesday

Btw, see if this post I made about my lab setup helps.

https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-inspection-lab-video/td-p...

Best,
Andy
0 Kudos
the_rock
MVP Diamond
MVP Diamond
Wednesday

Hey mate,

Were you able to sort this out?

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 24 Feb 2026 @ 04:30 PM (EST)

    Las Vegas: MDR/XMDR
    In-Person

    Wed 25 Feb 2026 @ 04:30 PM (MST)

    Tempe, AZ: MDR/MXDR
    In-Person

    Fri 06 Mar 2026 @ 08:00 AM (COT)

    Check Point R82 Hands‑On Bootcamp – Comunidad DOJO Panamá
    In-Person

    Wed 11 Mar 2026 @ 12:00 PM (MDT)

    CheckMates Live Denver!
    CheckMates Events