topic Re: URL filtering not working in Firewall and Security Management

URL filtering not working

Sree_checkpoint — Fri, 25 Oct 2019 09:11:52 GMT

On the Checkpoint management server we have ordered layer for our access rules.

Access

Application and URL filtering.

We need to whitelist certain subnet to access certain specific urls and the rest of the Internet access from those subnet is denied by the default deny rule in the Application and Url filetering rule base. Below are some of the urls I need whitelisted.

https://api.nuger.org

https://www.nuget.org/

So for this access I created a new custom Application/Site and created a rule in the application/url filtering rulebase with source as the subnet, destination as any and in service/applications I put the newly created custom application/site and action permit

When i check the custom Application/site i created I could see http, https is allowed.

Now when i try to access the website from the host in that subnet it is still getting blocked as per the default deny rule in the Application and url filtering rule base,even though I have kept the new created rule above default deny.

Can someone please help me to understand why this is causing this and what is the solution.

Re: URL filtering not working

PhoneBoy — Fri, 25 Oct 2019 23:07:26 GMT

Unless you are using R80.20 with JHF 117 or above or R80.30, the way we determine what site you are connecting to with HTTPS is the CN of the certificate of the site in question.
For api.nuger.org, the CN says surveymonkey.eu.
For www.nuget.org, the CN says *.nuget.org.

That means you will either need to:
1. Change your rules to match what the CN says for the sites in question.
2. Upgrade to R80.20 JHF 117+ or R80.30 where we filter based on verified client SNI.

Re: URL filtering not working

Sree_checkpoint — Wed, 30 Oct 2019 16:10:24 GMT

My gateway is on R80.10 and hardware is open server.

On the newly created application/url list I have put the CN of the website

for https://www.nuget.org , in the application/url list i have put *.nuget.org. Still the https traffic to this url is getting blocked by the default deny instead of the allowed rule.

Re: URL filtering not working

mdjmcnally — Wed, 30 Oct 2019 19:28:14 GMT

On our policy then would be entering as

*nuget.org*

As the allowed URL

URLs are defined a Regular Express is unchecked.

Gateway is R77.30

Re: URL filtering not working

PhoneBoy — Thu, 31 Oct 2019 14:56:20 GMT

It's possible that matching the CN of the certificate doesn't support wildcards.
Best to check with the TAC.
In any case, highly recommend upgrading from R80.10.

Another option is to use the Application Control Signature tool and create a SNI-based signature for the site in question.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk103051