- CheckMates
- :
- Products
- :
- Developers
- :
- API / CLI Discussion
- :
- Is there way to find out if site/ip is blocked by ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there way to find out if site/ip is blocked by IPS/URLF via command line?
Dear Checkmates
Is there way to find out if site/ip is blocked by IPS/URLF via command line?
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In short: no.
- IPS doesn't block specific sites or IPs to begin with, it's looking for malicious traffic patterns.
- To determine this for URLF, you would need to know
- What the category is (no way to query that via CLI currently)
- What your policy is configured to block based on a number of factors
For URLF, you may be able to do it in SmartConsole using https://community.checkpoint.com/message/6551-packet-mode-a-new-way-of-searching-through-your-securi...
Can you describe your intended use case?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our help desk is taking multiple tickets a day with basic question. Are we blocking this site?
I want to create a self-help portal where the user enters the destination URL. I want to automate the process to see if the URL and port are open or not. If firewall is blocking the URL/port it would create ticket for the Cybersecurity team.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently there is no API to do what you want.
That said, you could simulate this with scripted calls to curl or similar to the destination URL from a system subject to the same URLF policy as your end users.
If curl is able to download the homepage from the URL, then you're not blocking access to it.
If curl returns some sort of error or gets a UserCheck page, then you are and a ticket should be created.
The trick is in parsing the output of curl to figure out which result is which.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suspect that the SmartEvent could be used to determine when the URLF and App Control block sites and trigger notification events for the CyberSec team by either email, snmp traps etc.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes Correct
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand the Neil question and frustration, I try the best to describe the situation and please do not reply it work as intended...and you need to enable HTTPS inspection.
We got the same issues with URL blocked....unnecessary calls to our help desk.
Assuming we block you "youtube.com", if the user is accessing the site with HTTP then the wonderful "blocked message page" is displayed. That is great and the user know the paged is blocked...end of story.
Now, the user or most Internet pages are redirected to "HTTPS"...from google to youtube to your banking.....etc,etc.
https://youtube.com is still blocked by URL filtering without HTTPS inspection ...known this by searching at Smartlog, Tracker, Events....
but NO wonderful blocked page is display to the user.....just a "Secure Connection Failed" is displayed, prompting the user to initiate a call to the help desk.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want a block page for HTTPS sites to show to the end user, you will have to enable HTTPS Inspection.
If you don't really want to do HTTPS Inspection, I suppose you could simply enable the feature with any "any any bypass" rule.
However, I have not tried this.
Either way, HTTPS Inspection needs to be enabled in order to show a block page for HTTPS sites to end users.
