topic Re: Best Practice when blocking URL in Firewall and Security Management

Best Practice when blocking URL

civoulkidis — Tue, 23 Nov 2021 10:04:25 GMT

Hi,

I would like some comments from the most experienced users about the best practice when blocking URL.

What I am trying to do is to block specific URL.

These URL may be part from 2 categories:

Phishing sites (not yet categorized by CheckPoint)
Normal web sites

What I have done as far:

Rule: Source-Any, Destination : Network Group Which includes destination objects (Domain, Host etc) , Action:Drop

The network group contains Domain objects (For example if I want to block http://blockme.com/jgsgjs/fjsh/ I create a domain object .blockme.com

In this way I block all the domain which sometimes is not good.

For example when I want to block the phishing URL: https://firebasestorage.googleapis.com/v0/b/kasyropnz.appspot.com/o/faswusamino.html

I have to block all the domain .firebasestorage.googleapis.com which is not acceptable.

Any suggestions about the best practice?

Re: Best Practice when blocking URL

the_rock — Tue, 23 Nov 2021 14:46:53 GMT

I will tell you what I always do and it works 100% of the time...I know Im not nearly as experienced as most folks here, but take it for what its worth : -). Ok, so just to give you a simple example, say you wish to block anything facebook and youtube, I would do exact same rule like you have, but in the destination, for url group, I put in custom links and say *facebook* and *youtube*, thats it. I included a screenshot for your reference.

Andy

Re: Best Practice when blocking URL

civoulkidis — Wed, 24 Nov 2021 18:08:18 GMT

*facebook* means that any url that contains the word facebook is matched?

Re: Best Practice when blocking URL

the_rock — Wed, 24 Nov 2021 18:10:54 GMT

yes sir!

Re: Best Practice when blocking URL

civoulkidis — Thu, 25 Nov 2021 08:05:48 GMT

Is there any guide about Regular Expressions?

For example I want to match and block the url https://10120-0000-00010.pages.dev which contains malicious.

This Reg Exp is not working. /10120-0000-00010.pages.dev/

This is working but I have a warning for performance (sk165094)

*10120-0000-00010.pages.dev*

Re: Best Practice when blocking URL

Marcel_Gramalla — Thu, 25 Nov 2021 10:24:41 GMT

Look at sk106623

Basically for your example the RegEx would be \/10120-0000-0010\.pages\.com and for including subdomains additionally \.10120-0000-0010\.pages\.com

Re: Best Practice when blocking URL

civoulkidis — Thu, 25 Nov 2021 11:03:49 GMT

10120-0000-00010\.pages\.dev worked for me and blocked the specific url

Note that I did not use /....../ at the beginning and at the end.

I have also checked "URLs are defined as Regular Expression". Is that correct?

Re: Best Practice when blocking URL

Marcel_Gramalla — Thu, 25 Nov 2021 11:07:47 GMT

Yes, this is correct. Please note that without the /\ at the beginning you will also block abc10120-0000-0010.pages.com. Check that with a RegEx Tester like regex101.com.

Re: Best Practice when blocking URL

the_rock — Thu, 25 Nov 2021 14:05:10 GMT

@Marcel_Gramalla is correct. Personally, sk that pops up when you make those changes, you can follow it, but to make it simplified, if I need to block a full fqdn, I just do it without TLD (top level domains, such as .com, .org, .edu, .me...as I stated in my first response. It never fails and thats why I keep using that approach.

Re: Best Practice when blocking URL

007_mjn — Mon, 18 Dec 2023 11:12:24 GMT

Hi @the_rock Like this can I also block youtube for mobile devices?

I have SMB 1530 device and version is R81.10. I have blocked youtube for all users.

LIKE this src:lan subnet dst: any service/application:YoutubeApplication action:block

this rule can block youtube on desktop and laptop but not on android mobile device.

Do you know the solution of this?

Re: Best Practice when blocking URL

the_rock — Mon, 18 Dec 2023 13:05:07 GMT

I literally never work on these devices, but if I ever need anything, I either spin demo point lab from user center or log in using below:

https://demo700.checkpoint.com/

User: test_1234567890
Password: %%7JvZp!!k%%

Now, based on what I can see, appears option for mobile clients is under vpn, blade control and it appears to be enabled by default, but as far as how you control it, if its locally managed, most likely by regular rules, but if central, probably via mobile access blade. You may want to confirm this with TAC.

Andy

Re: Best Practice when blocking URL

007_mjn — Tue, 19 Dec 2023 05:08:57 GMT

Thanks for your quick support.

It's a centrally managed device and MAB portal is not available for SMB device. As far as I know MAB is used for secure remote access for android/IOS clients. I have worked on fortinet firewall and it block youtube for all devices.

Re: Best Practice when blocking URL

007_mjn — Tue, 19 Dec 2023 05:21:42 GMT

I think application control blade have to block applications on all devices but it didn't block youtube application on mobile device.

Re: Best Practice when blocking URL

the_rock — Tue, 19 Dec 2023 13:09:32 GMT

Thats because on Fortinet, those things are not "separated" if you will, like they are on CP side. If its centrally managed, is MA blade enabled? Either way, maybe check with TAC whats the best way to do this.

Andy

Re: Best Practice when blocking URL

PhoneBoy — Wed, 20 Dec 2023 01:28:31 GMT

MAB is only required to terminate the Capsule Workspace client.
Check Point Mobile clients for Android/iOS can terminate on an SMB gateway.

Re: Best Practice when blocking URL

007_mjn — Wed, 20 Dec 2023 09:04:03 GMT

ok, I know MAB is only used for capsule workspace.

for mobile devices I will raise a TAC case.