topic Re: Allow URL Path in Firewall and Security Management

Allow URL Path

D_W — Mon, 19 Dec 2022 15:24:01 GMT

Hi Mates,

is it possible to allow an URL like https://s3.sbg.perf.cloud.ovh.net/only_this_folder_and_everything_behind/* ?

I tried it already with a custom Application/Site but maybe i use the wrong syntax.

If it is possible how and also without https inspection?

Thx
David

Re: Allow URL Path

PhoneBoy — Mon, 19 Dec 2022 17:31:47 GMT

It is impossible to allow that sort of access without HTTPS Inspection enabled.

Re: Allow URL Path

the_rock — Tue, 20 Dec 2022 16:23:14 GMT

Technically, yes, you could allow it even without https inspection enabled. That blade is never needed to add custom app site, as long as you have URLF blade enabled in the gateway, works fine. Inspection is more if you want firewall to intercept the traffic and "insert" its own cert that would get presented when pages are blocked and it makes sense to have it, since probably 99% of sites now days are indeed https.

I made this work in R81.10 and R81.20 lab just fine without https inspection on. Happy to do remote if you need help.

Re: Allow URL Path

PhoneBoy — Wed, 21 Dec 2022 02:13:29 GMT

There’s a difference between:

Allowing access to https://www.example.com
Allowing access to https://www.example.com/my_secret_url and blocking all other access to https://www.example.com

The latter definitely requires HTTPS Inspection.
You can do the former with just HTTPS Categorization.

Re: Allow URL Path

the_rock — Wed, 21 Dec 2022 02:27:56 GMT

Correct, but I made it work for all those scenarios in my lab even without inspection on. Obviously, you will never get block page without https inspection enabled.

Re: Allow URL Path

D_W — Wed, 21 Dec 2022 08:30:21 GMT

Can you share your solution without https inspection?

Re: Allow URL Path

G_W_Albrecht — Wed, 21 Dec 2022 13:50:05 GMT

How did you achieve allowing access to https://www.example.com/my_secret_url and blocking all other access to https://www.example.com without https inspection ?

Re: Allow URL Path

the_rock — Wed, 21 Dec 2022 13:51:35 GMT

Well, by spending many hours on it until I finally got it.

Re: Allow URL Path

G_W_Albrecht — Wed, 21 Dec 2022 13:53:52 GMT

This does not answer my question at all. If you found a solution without https inspection you will get famous here, so why not disclose it ?

Re: Allow URL Path

the_rock — Wed, 21 Dec 2022 13:55:47 GMT

I dont care about being famous mate, not my motto in life, never been, haha. I wont disclose it, because Im 100% sure its totally unsupported anyway, I just wanted to prove to myself that it can work, which it did.

Re: Allow URL Path

G_W_Albrecht — Wed, 21 Dec 2022 14:08:10 GMT

Honestly - I get a bad feeling when people tell me: Just send me a message privately and i will disclose an unsupported configuration to you. If you can explain it openly we can try ourselves if it really works for us, otherwise i would not talk about it at all...

Re: Allow URL Path

the_rock — Wed, 21 Dec 2022 14:12:29 GMT

Now that I think about, I agree, I will not share it with anyone, not because I dont want to, its because I know its totally UNSUPPORTED what I did, but works 100%.