topic Re: Reason why Checkpoint doesn't like my regex block for C2 traffic? in Firewall and Security Management

Reason why Checkpoint doesn't like my regex block for C2 traffic?

Gregory_Link — Thu, 05 Dec 2019 21:02:54 GMT

Trying to implement a regex block from a threat feed for known C2 traffic on app/url blade and policy will not install. The only thing I noticed is the + operator that Checkpoint doesn't appear to like. However, this conforms to PCRE format when I test on regex101. Has anyone else dealt with this and how have you addressed it?

^https?:\/\/[^\x2f]+\/(?:[a-zA-Z0-9\._-]+\/)+[1-3]c\.jpg$

Re: Reason why Checkpoint doesn't like my regex block for C2 traffic?

PhoneBoy — Thu, 05 Dec 2019 23:27:25 GMT

What release?
What specific error do you get?

Re: Reason why Checkpoint doesn't like my regex block for C2 traffic?

G_W_Albrecht — Fri, 06 Dec 2019 11:29:46 GMT

Replicated using R80.30 JT 111 SMS + GW + GW Cluster:

- Verify is successfull

- Access policy install fails:

- Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 0-2000178).

---

According to sk154435:

Cause:

Custom application site object has a bad regular expression (regex) configured.

Solution:

Fix problematic regex syntax, or delete it from the database.

For example:

Problem in all the regex with the last hyphen inside the brackets. It must be escaped with backslash.

Change: ^https?:\/\/([A-Za-z0-9.-]+\.)?ama-assn\.org

To: ^https?:\/\/([A-Za-z0-9.\-]+\.)?ama-assn\.org

---

After changing the RegEx to

^https?:\/\/[^\x2f]+\/(?:[a-zA-Z0-9\._\-]+\/)+[1-3]c\.jpg$

Policy install succeeds

Please try yourself, then mark this post as the solution...

Re: Reason why Checkpoint doesn't like my regex block for C2 traffic?

Gregory_Link — Fri, 06 Dec 2019 13:26:49 GMT

@G_W_Albrecht - Appreciate the help here. Escaping the dash did the trick.