Wednesday, August 3, 2016

SSL Inspection - UserCheck


UserCheck  (Enable Block Pages)

SK100571  SK97951  SK100281    Check URL Categorization

Exceptions - via regular expression
----------------------------------
(.*\.|)logmein\.com
(.*\.|)dropbox\.com
(.*\.|)gotomeet\.me
(.*\.|)citrixonline\.com
*.gotomeet.me

Packet Flow


  1. Firewall Rules  - Firewall Rule base work on Layer 3 (IP/Networks) and Layer 4  (TCP Services)
  2. Application Blade  works on  Layer 5-6-7 
    1. IPS Blade - Streaming - Passive Streaming Session 


1. Checkpoint firewall object - Usercheck - Accessability - Edit- Through all Interfaces
2. Engine settings -  URL Filtering  uncheck (categorize HTTPS sites)  - must put back to allow other to w  Global Property
3. reset userset daemon
 # mpclient stop UserCheck
 # mpclient start UserCheck 

[Expert@mytestint-fwa:0]# mpclient stop UserCkeck
Exception: An exception has occurred during an RPC request: Portal not found
[Expert@mytestint-fwa:0]# mpclient stop UserCheck
Portal stopped
[Expert@mytestint-fwa:0]# mpclient start UserCheck
Portal started

[Expert@mytestint-fwa:0]# 


[Expert@mytestint-fwa:0]# ps -aux | grep UserCheck
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
admin    26902  0.0  0.0   1740   528 pts/2    S+   13:07   0:00 grep UserCheck
[Expert@mytestint-fwa:0]# 




sk100571 
Webpage does not redirect to UserCheck page

Symptom
  • When browsing to a block site, the site gets blocked however the page does not redirect to the UserCheck web page
Cause:
On SmartDashboard, the UserCheck Web Portal "Main URL" is configured with the incorrect IP. On a cluster, it is not configured as the virtual IP (VIP) of the cluster.


Solution
Change the UserCheck Web Portal "Main URL" to the correct IP address:
Open SmartDashboard > Edit Cluster/Gateway Object > UserCheck > Main URL
Once you have changed the Main URL, you will need to restart the UserCheck portal. From CLI run the following commands:
# mpclient stop UserCheck
# mpclient start UserCheck 


sk97951
UserCheck block page not displayed when accessing blocked site as per URL Filtering policy

Symptoms
  • UserCheck Block page is not displayed when users connect from the internal interfaces, even with the UserCheck portal or the Main URL field being configured as the primary URL for the web portal that shows the UserCheck notifications.
  • HTTPS Inspection and HTTP/HTTPS Proxy is not enabled on the Security Gateway.
Cause
In the Security Gateway object properties - "UserCheck" pane - "Accessibility" section - the option "Through internal interfaces" is selected. However, the option "Including DMZ internal interfaces" or the option "Including undefined internal interfaces" was not selected.
Solution
Follow these steps:
  1. Open Security Gateway object properties.
  2. Go to 'UserCheck' pane.
  3. In the 'Accessibility' section, click on 'Edit...' button.
  4. Configure the interfaces on the Security Gateway, through which the UserCheck portal can be accessed.

    Select the options below, according to where the users are connecting from, so they are redirected to the UserCheck portal:

    • Through all interfaces
    • Through internal interfaces

      • Including undefined internal interfaces - select this option, if users are connecting through the internal interfaces
      • Including DMZ internal interfaces - select this option, if users are connecting through the DMZ internal interface
      • Including VPN encrypted interfaces
    • According to the Firewall Policy (select this option if there is a rule that states who can access the portal)
  5. Click on 'OK' to apply the settings.
  6. Save the changes: go to 'File' menu - click on 'Save'.
  7. Install policy onto involved Security Gateways.


sk100281
Cannot access UserCheck page


Symptoms
  • When using Application Control and URL Filtering with UserCheck enabled, blocked websites are successfully blocked, however the browser does not redirect to the UserCheck page. It will also not be possible to directly browse to the UserCheck page based on the alias set up in SmartDashboard.
  • UserCheck connectivity debug (fw ctl zdebug + crypt) shows
    ;vm_mux_first_packet: Connection is for http(s)? = 1 (allow redirect = 1); ;vm_mux_first_packet: is mp port allowed? allow_80_443_ports = 0 or connection from internal interfaces = 0;
Cause
UserCheck is not enabled on the correct interfaces.
Solution
 To resolve this issue, perform one of the following two solutions:
  1. Navigate to 'Firewall object -> UserCheck -> Accessibility' and enable:
    Through Internal Interfaces:
    * Including VPN encrypted interfaces* including undefined internal interfaces* Including DMZ internal interface

     
  2. Navigate to 'Firewall object -> Topology -> Edit Topology'

    Confirm that the interfaces have been correctly configured as 'Internal' or 'External'. If an internal interface is misconfigured as an 'External' interface, UserCheck page will not be displayed. Only traffic from an 'Internal' interface will allow the UserCheck webpage to be displayed.
    The only exception would be if 
    UserCheck is configured to be displayed through 'All Interfaces' in 'Firewall object -> UserCheck -> Accessibility'.