Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Legend
Legend
Jump to solution

Anti-bot block page does not show up

Hey guys,

I hope someone can maybe shed some light into this as to what we might be missing to get this working. I had been working with couple of my colleagues on it and we cant seem to figure it out.

Here is the environment:

R81.20 jumbo 89 mgmt server

R81.20 cluster with anti bot enabled, along with vpn, fw, monitoring, ssl inspection

another R81.20 gw, as well as SE dedicated server, all jumbo 89 (cluster as well)

Now, ssl inspection block page works fine, no issues. We enabled AB blade, made sure shows default block poage as option in TP profile, page we tested does NOT show up, but, block page NEVER comes up. I tested with different dns servers, no joy. Even followed below link, same issue.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...TPG/Configuring-Anti-Bot-Settings.htm

I see in one of the logs below sk comes up, but not sure if thats relevant here.

https://support.checkpoint.com/results/sk/sk74060

For what its worth, same issue happens regardless if IPS blade is enabled or not.

I attached some screenshots of the environment. Any suggestions are always welcome.

Thanks in advance.

Andy

 

Screenshot_1.png

 

 

Screenshot_2.png

 

 

Screenshot_3.png

 

 

Screenshot_4.png

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Thinking about this, the answer is probably not.

For a block page to be generated, a TCP connection would have to be generated.
This would require HTTPS Inspection, which would have to generate a certificate based on the site being accessed (SNI).
The SNI verification piece would fail since there's no connection to get the site certificate.
Even if you were to change the DNS Trap IP to something that answers with an HTTPS Certificate, it would not be correct based on the site accessed.

I suspect this is RFE territory. 

View solution in original post

0 Kudos
6 Replies
the_rock
Legend
Legend

Quick update...my colleague and I even enabled AV blade, tested with eicar download test link, but IE blocks the download, NOT av blade, so block page does not work for that either.

I have a feeling we are missing something trivial here, just cant figure out what exactly.

Andy

0 Kudos
the_rock
Legend
Legend

FWIW, also tested autonomous TP policy, exact same problem.

Andy

0 Kudos
PhoneBoy
Admin
Admin

I assume because of how this is being blocked (DNS Trap), we are not generating a block page, which would require an active TCP session.
The default DNS Trap IP does not answer any queries and connections would "time out." 

0 Kudos
the_rock
Legend
Legend

Any way to fix that?

Andy

0 Kudos
PhoneBoy
Admin
Admin

Thinking about this, the answer is probably not.

For a block page to be generated, a TCP connection would have to be generated.
This would require HTTPS Inspection, which would have to generate a certificate based on the site being accessed (SNI).
The SNI verification piece would fail since there's no connection to get the site certificate.
Even if you were to change the DNS Trap IP to something that answers with an HTTPS Certificate, it would not be correct based on the site accessed.

I suspect this is RFE territory. 

0 Kudos
the_rock
Legend
Legend

Thanks for the feedback, as always. I do have ssl inspection enabled, that part works and we do see logs generated that show pages blocked related to AB blade, but just cant get block page show up.

O well, thats unfortunate, but thank you for confirming!

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events