https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Filtering-look-only-at-host-not-URI/m-p/140145#M21466 <P>Without HTTPS Inspection the rest of the URL should be irrelevant.<BR />With HTTP, it might be worth a TAC case to clarify.</P> Wed, 02 Feb 2022 06:15:25 GMT PhoneBoy 2022-02-02T06:15:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Filtering-look-only-at-host-not-URI/m-p/139549#M21301 <P>Hi,</P><P>&nbsp;</P><P>While doing some logs inspection we found that one of our Custom Application (whitelisting) is in the top trafic.</P><P>&nbsp;</P><P>After checking the logs we found that some Web Advertisement are matching this rule to a wrong categorization</P><P>&nbsp;</P><P>URL Whitelist contains:</P><P>*.example.com</P><P>&nbsp;</P><P>The logs reported in our report contains this ressource:</P><P><A href="https://c.go-mpulse.net/api/config.json?key=XXXX&amp;d=support.example.com&amp;t=XXXX" target="_self">https://c.go-mpulse.net/api/config.json?key=XXXX&amp;d=<FONT color="#0000FF">support.example.com</FONT>&amp;t=XXXX</A></P><P>&nbsp;</P><P>From my understanding this shoul not trigger a hit ??</P><P>I decided to follow this SK174194</P><DIV class="">&nbsp;</DIV><DIV class=""><EM>Symptoms</EM></DIV><DIV class=""><P><EM>The URL partially matches the URL defined in the custom application/Site field</EM><BR /><BR /><EM><STRONG>Example:<BR /></STRONG>The custom URL is defined as&nbsp;<STRONG>example.com&nbsp;</STRONG>and matches URL&nbsp;<STRONG>example.commerce.com</STRONG></EM></P></DIV><DIV class=""><EM>Cause</EM></DIV><DIV class=""><P><EM>When scanning for the URL, the URL must be closed off with a forward slash: "/", otherwise&nbsp;<STRONG>example.com</STRONG>merce.com will match example.com</EM></P></DIV><DIV class=""><EM>Solution</EM></DIV><DIV class=""><P><EM>Close the URL string with "/" at the end, for the correct match.&nbsp;</EM><BR /><EM>Example of the correct definition: "example.com/"</EM></P><P>&nbsp;</P><P>From my understanding this shoul not trigger a hit ??</P><P>After implementing the SK a hit to the following URL is still matching</P><P>&nbsp;<A href="https://c.go-mpulse.net/api/config.json?key=XXXX&amp;d=support.example.com&amp;t=XXXX" target="_self">https://c.go-mpulse.net/api/config.json?key=XXXX&amp;d=<FONT color="#0000FF">support.example.com/test</FONT>&amp;t=XXXX</A></P><P>&nbsp;</P><P>What is the correct implementation to only filter:</P><P>http(s)://support.example.com/ or&nbsp;http(s)://example.com/ if possible without Regex as HTTPS inspection is not enabled for all profiles</P><P>&nbsp;</P><P>Thank you</P></DIV> Wed, 26 Jan 2022 10:08:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Filtering-look-only-at-host-not-URI/m-p/139549#M21301 CP-NDA 2022-01-26T10:08:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Filtering-look-only-at-host-not-URI/m-p/140145#M21466 <P>Without HTTPS Inspection the rest of the URL should be irrelevant.<BR />With HTTP, it might be worth a TAC case to clarify.</P> Wed, 02 Feb 2022 06:15:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/URL-Filtering-look-only-at-host-not-URI/m-p/140145#M21466 PhoneBoy 2022-02-02T06:15:25Z