Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
minhhaivietnam
Contributor

HTTPS inspection not block URL

Hello experts,

I have firewall CP running HTTPS inspection to control internet access of users.

I have 2 layer: NETWORK and APP&URL.

In layer Network, I allow any any.

In layer APP&URL, I manually allow URL1, URL2,...and cleanup rule is block all others.

My problem is:

Some PCs sometime call to this URL "events.data.microsoft.com", and I do not allow this url. But log on firewall still show that it allow this URL . I don't know why. Here is some pictures. Please help to explain! Tks you

inspection.pnglog url.png

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

What version/JHF level?
It would also be useful see what precise rule is allowing this connection, which will be shown in the log card.
Might need a screenshot of the rule and relevant services.
I’m also surprised this is not being blocked because of the untrusted CA key; did you disable that check?

0 Kudos
minhhaivietnam
Contributor

Thank you for reply. Here is my setting picture (I use R80.10, HOTFIX_R80_10_JUMBO_HF Take: 203):

appctl.png

This is HTTPS validation setting:

https inspect.png

On picture about HTTPS inspection setting, Do you mean that I need to check "Untrusted server certificate" box?

0 Kudos
PhoneBoy
Admin
Admin

I suspect the issue is related to SNI detection, which is not supported in R80.10.
That means your app control rule will match based on CN instead, which may be being allowed by your existing rules.
I highly recommend upgrading to a later release as shown here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Yes, that’s the setting I’m referring to.
If you check that (and push policy), the gateway will not allow connections to sites for which it cannot validate the certificate chain for (similar to what a browser does).
However, that could also block your legitimate traffic as well. 

0 Kudos