CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 6 of 6

Thread: Some websites are not blocked from the Mobile phone browsers.

  1. #1
    Join Date
    2017-06-29
    Posts
    3
    Rep Power
    0

    Default Some websites are not blocked from the Mobile phone browsers.

    Dear friends,

    We have configured a block rule in application control and URL filtering blade to block pornographic content. On all the Desktops and laptops the content is blocked as per the configuration. But on the mobile devices which are connected through the Wifi router some of these sites are allowed although we can see the log information on the tracker as blocked by the application blade rule and allowed through firewall rule.

    Version:R77.30 Gaia
    Https inspection not enabled.

    Please let me know if there is any information which can help me to configure as below requirement.

    Pornographic content and whatsapp video sharing must be blocked on all mobiles devices.

    Thanks in advance.

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,383
    Rep Power
    15

    Default Re: Some websites are not blocked from the Mobile phone browsers.

    URL Filtering will only work with HTTP and HTTPS (either with HTTPS Inspection or Categorize HTTPS Sites enabled).
    It's possible the traffic in question is not HTTP or HTTPS, but QUIC or even something else.
    I recommend doing a packet capture to validate what is actually being transmitted by the mobile device.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2006-03-21
    Posts
    68
    Rep Power
    12

    Default Re: Some websites are not blocked from the Mobile phone browsers.

    Hi,

    Is the Wi-Fi router NAT'ing source addresses for devices connected to it?

  4. #4
    Join Date
    2017-06-29
    Posts
    3
    Rep Power
    0

    Default Re: Some websites are not blocked from the Mobile phone browsers.

    Quote Originally Posted by PhoneBoy View Post
    URL Filtering will only work with HTTP and HTTPS (either with HTTPS Inspection or Categorize HTTPS Sites enabled).
    It's possible the traffic in question is not HTTP or HTTPS, but QUIC or even something else.
    I recommend doing a packet capture to validate what is actually being transmitted by the mobile device.
    Thanks for the response.

    QUIC is not blocked and I have also checked enabling "categorize https sites". I have observed http traffic being passed through firewall rule and not even hitting the application and URL blade rule.

    Could there be any other suggestion please let me know.

    Regards,
    Praneeth

  5. #5
    Join Date
    2017-06-29
    Posts
    3
    Rep Power
    0

    Default Re: Some websites are not blocked from the Mobile phone browsers.

    Quote Originally Posted by eduardoxmunoz View Post
    Hi,

    Is the Wi-Fi router NAT'ing source addresses for devices connected to it?
    Thank you for the response.

    The source IPs are are hidden behind the gateway and rule is configured as block for "any"

    Thanks and regards,
    Praneeth

  6. #6
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,383
    Rep Power
    15

    Default Re: Some websites are not blocked from the Mobile phone browsers.

    Quote Originally Posted by praneeth View Post
    QUIC is not blocked and I have also checked enabling "categorize https sites". I have observed http traffic being passed through firewall rule and not even hitting the application and URL blade rule.
    If you are taking a "blacklist" approach (allowing most everything but blocking the bad stuff), I recommend two rules at the bottom of your App Control/URL Filtering rulebase:
    1. One with the service "Any Recognized" (Not available in R80+) with action Accept -- This will tell you what App Control sees the traffic as.
    2. One with the service "Unknown Traffic" with action Accept -- this will show you what's getting past the Application Control blade.

    It's also worth noting that the default rule for App Control/URL Filtering (i.e. if no rule matches) is an Accept, not a Drop like in the Firewall policy.
    Web sites accessed via QUIC protocol are not categorized by Check Point at all, FYI, which is why I mentioned it.

    I recommend engaging with the Check Point TAC for further troubleshooting.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. Client shuts down after establishing vpn via mobile phone connection
    By koshan in forum Mobile Access Blade (Formerly Connectra)
    Replies: 0
    Last Post: 2012-06-21, 02:42
  2. Android phone to citrix via mobile access
    By Kiwi_wgtn in forum Mobile Access Blade (Formerly Connectra)
    Replies: 0
    Last Post: 2012-01-19, 19:01
  3. VoIP GW's est.- Phone to Phone Problem
    By cpadmin13 in forum Voice over IP Blade (VoIP)
    Replies: 0
    Last Post: 2008-01-29, 17:44
  4. Using SSL authentication with Netscape/Mozilla browsers
    By roadrunner in forum Authentication
    Replies: 1
    Last Post: 2006-10-26, 09:35
  5. Mobile Phone Alerts
    By Jocky in forum SmartView Tracker
    Replies: 2
    Last Post: 2006-09-26, 10:06

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •