This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dan_Roddy
Collaborator
‎2018-09-20 12:26 PM

Users reported web traffic stopped working

Found a block action reason:  Blocking request as configured in engine settings of Application Control...

Precise Error: Internal system error in HTTPS Inspection due to categorization service timeout...

So I went to Blades/Application Control & URL Filtering Settings/General and changed Fail mode to 'allow all requests (fail-open) and installed policy.

Problem solved, any input on what's happening?

11 Replies
PhoneBoy
Admin
Admin
‎2018-09-21 10:08 AM

There's a few different possibilities on this.

The TAC can assist you with troubleshooting the exact cause.

0 Kudos
Dan_Roddy
Collaborator
‎2018-09-21 10:13 AM
In response to PhoneBoy

I'll give you 100 points for the 'few different possibilities'.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-21 10:19 AM
In response to Dan_Roddy

As admin, I can give myself all the points I want Smiley Happy

Unfortunately the information is in an internal SK.

And now that I read it more closely, it says "gather the following debugs" and doesn't provide much of an explanation.

Dan_Roddy
Collaborator
‎2018-09-21 11:39 AM
In response to PhoneBoy

I'm chatting with TAC and they are struggling...can you give me the sk# please?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-22 03:26 PM
In response to Dan_Roddy

I searched SK for the error message you provided, which brought up sk118440.

My guess is they will have to get R&D involved.

Dan_Roddy
Collaborator
‎2018-09-24 11:09 AM

With Access Mode set to Allow, I am seeing a very small number of Alerts on this today.  Does anyone know how SSL inspection reacts to a SSLv3 connection?  I know they should not exist but just asking the question, maybe a client is doing this.

Thanks..

0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-24 11:50 AM
In response to Dan_Roddy

I believe, by default, this is allowed.

You can prevent that as described here: Check Point response to the POODLE Bites vulnerability (CVE-2014-3566) 

0 Kudos
Tim_McColgan
Contributor
‎2019-03-06 12:58 PM

I am experiencing this issue today. The only changes we made in the FW cluster was to enable enhanced SSL inspection. For some reason two banking related sites were not working until we configured enhanced SSL inspection. The day after we did these we started seeing many alerts for the Rad service not responding and that categorization was timing out for application control. However, TAC said enabling enhanced SSL inspection did not cause this. Plus we tested by turning it off. I am not sure why this is suddenly happening, but in the interim, I had to do the same which was setting the fail mode for application control to Fail-Open. I've scheduled an advanced debug with TAC to figure this out. Very strange. Anyone have any new or updated info on this? 

Calling Aaron Vivadelli‌ !!

0 Kudos
Ted_Serreyn
Collaborator
‎2019-10-30 01:08 PM
In response to Tim_McColgan

Just hit this today for a brand new https inspection turnup on newly upgrade R80.30 cluster.  Opened TAC case, grabbed debugs.  We'll see what the issue is.

 

 

0 Kudos
Jacinto_Rodrigu
Participant
‎2019-11-07 09:20 AM
In response to Ted_Serreyn

I'm having the same issue with URL filtering and SSL inspection R80.30, brand new turn up.

Any clues yet?

0 Kudos
Ted_Serreyn
Collaborator
‎2019-11-07 11:01 AM
In response to Jacinto_Rodrigu

Ok, our issue ended up being an issue with the gateway and outbound traffic.  Make sure the gateway can get outbound to do http/https requests.  It needs to do this for categorization.

 

Once we fixed this, we were quickly online and https inspecting for a few test workstations.

 

Interesting enough, once we turned it on for the testing hosts, we also some issues with other hosts that we also had to put an override in place for.  This traffic went over a VPN and was NOT internet bound so did not match the policy for bypass.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events