Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Legend
Legend
Jump to solution

Anti-bot block page does not show up

Hey guys,

I hope someone can maybe shed some light into this as to what we might be missing to get this working. I had been working with couple of my colleagues on it and we cant seem to figure it out.

Here is the environment:

R81.20 jumbo 89 mgmt server

R81.20 cluster with anti bot enabled, along with vpn, fw, monitoring, ssl inspection

another R81.20 gw, as well as SE dedicated server, all jumbo 89 (cluster as well)

Now, ssl inspection block page works fine, no issues. We enabled AB blade, made sure shows default block poage as option in TP profile, page we tested does NOT show up, but, block page NEVER comes up. I tested with different dns servers, no joy. Even followed below link, same issue.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...TPG/Configuring-Anti-Bot-Settings.htm

I see in one of the logs below sk comes up, but not sure if thats relevant here.

https://support.checkpoint.com/results/sk/sk74060

For what its worth, same issue happens regardless if IPS blade is enabled or not.

I attached some screenshots of the environment. Any suggestions are always welcome.

Thanks in advance.

Andy

 

Screenshot_1.png

 

 

Screenshot_2.png

 

 

Screenshot_3.png

 

 

Screenshot_4.png

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Thinking about this, the answer is probably not.

For a block page to be generated, a TCP connection would have to be generated.
This would require HTTPS Inspection, which would have to generate a certificate based on the site being accessed (SNI).
The SNI verification piece would fail since there's no connection to get the site certificate.
Even if you were to change the DNS Trap IP to something that answers with an HTTPS Certificate, it would not be correct based on the site accessed.

I suspect this is RFE territory. 

View solution in original post

0 Kudos
13 Replies
the_rock
Legend
Legend

Quick update...my colleague and I even enabled AV blade, tested with eicar download test link, but IE blocks the download, NOT av blade, so block page does not work for that either.

I have a feeling we are missing something trivial here, just cant figure out what exactly.

Andy

0 Kudos
_Val_
Admin
Admin

Like HTTPS Inspection enabled?

0 Kudos
the_rock
Legend
Legend

Nope, thats been enabled for some time actually.

Andy

0 Kudos
the_rock
Legend
Legend

Btw, @_Val_ , though we have ssl inspection enabled in the lab, we were told by one of SEs that technically, you do not need that feature turned on to be able to effectively use AB? Is that true?

Andy

0 Kudos
_Val_
Admin
Admin

This is a very inaccurate statement. 

For URLF, HTTPSi lite might do, but if you are planning to scan files delivered over HTTPS, inspection is a must. Also, if you want a warning page redirect on any TLS traffic, you cannot do that without the inspection active.

it might be, you misunderstood what he/she said, or took it out of context.  

0 Kudos
the_rock
Legend
Legend

Thank you. That was sort of my understanding as well. Well, they said it could technically work, but were not 100% sure about block page being displayed without ssl inspection enabled.

Either way, let me do some more testing in the lab to try make this work, I have a gut feeling I can get it going, just have not had much time to dedicate to further testing.

Andy

0 Kudos
_Val_
Admin
Admin

Any popup requires a redirection as part of the communication. You cannot insert a redirection to an encrypted traffic. Hence, HTTPSi

the_rock
Legend
Legend

I will do some more testing in the lab now, since I got couple of hours for it, so lets see if I can make any progress.

Andy

0 Kudos
the_rock
Legend
Legend

FWIW, also tested autonomous TP policy, exact same problem.

Andy

0 Kudos
PhoneBoy
Admin
Admin

I assume because of how this is being blocked (DNS Trap), we are not generating a block page, which would require an active TCP session.
The default DNS Trap IP does not answer any queries and connections would "time out." 

0 Kudos
the_rock
Legend
Legend

Any way to fix that?

Andy

0 Kudos
PhoneBoy
Admin
Admin

Thinking about this, the answer is probably not.

For a block page to be generated, a TCP connection would have to be generated.
This would require HTTPS Inspection, which would have to generate a certificate based on the site being accessed (SNI).
The SNI verification piece would fail since there's no connection to get the site certificate.
Even if you were to change the DNS Trap IP to something that answers with an HTTPS Certificate, it would not be correct based on the site accessed.

I suspect this is RFE territory. 

0 Kudos
the_rock
Legend
Legend

Thanks for the feedback, as always. I do have ssl inspection enabled, that part works and we do see logs generated that show pages blocked related to AB blade, but just cant get block page show up.

O well, thats unfortunate, but thank you for confirming!

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events