topic Re: to allow URLs with wildcard destiations on non web browsing ports in Firewall and Security Management

to allow URLs with wildcard destiations on non web browsing ports

Gil_Lim — Mon, 24 Jun 2024 09:11:07 GMT

Hello Checkmates! Anyone can help out how to allow following wildcard URLs on non web browsing traffic on R81.10? Can't use Non-FQDN object due to reverse DNS is not working and updatable object also not available. Destination *.bam.nr-data.net *.apse2.pure.cloud Ports/Services TCP/UDP: 3478 (STUN) TCP/UDP: 19302 (STUN) UDP 16384-32768 (SRTP/TURN) TCP: 8191 (HTTPS)

Re: to allow URLs with wildcard destiations on non web browsing ports

PhoneBoy — Mon, 24 Jun 2024 19:40:40 GMT

For things that are actually HTTPS, you need to ensure the ports are configured here:

However, you list several things that aren't HTTPS.
If the gateway is in the path between the client and their configured DNS server, Passive DNS Learning can help with non-FQDN Domain Objects.
https://support.checkpoint.com/results/sk/sk161612

If the vendor in question provides a list of IPs in JSON or a flat file form, upgrade to R81.20 and use a Network Feed object.

Re: to allow URLs with wildcard destiations on non web browsing ports

the_rock — Tue, 25 Jun 2024 01:28:22 GMT

100% you can do that. Just add more services where Phoneboy mentioned and you can do what I always do...so say you wish to block anything youtube, just add *youtube*

Hope that helps.

Andy

Re: to allow URLs with wildcard destiations on non web browsing ports

Gil_Lim — Tue, 25 Jun 2024 01:46:31 GMT

Thanks for the updates.

we do use many Custom Application/site allowing Web Browsing Servers.

If we add more ports under Application Control Web Browsing Services, the other Custom Applications/Sites will be affected by this and it end up allow extra ports for other Custom Applications/Sites which we don't want to.

Hope that if there is an option to choose other then Web Browsing under New Application/Site.

Re: to allow URLs with wildcard destiations on non web browsing ports

emmap — Tue, 25 Jun 2024 02:31:23 GMT

If it's not actually web browsing then you should be using an FQDN object as the destination and then the services as normal.

Re: to allow URLs with wildcard destiations on non web browsing ports

PhoneBoy — Tue, 25 Jun 2024 15:16:10 GMT

Yes, this is a global setting that affects all such Custom Application/Sites, which are primarily for applications that use HTTP/HTTPS.
For application that speak other protocols, you will need to use either a Domain Object or possibly a Network Feed (in R81.20), though I'm double checking it will work for this use case (e.g. including *.example.com).

Re: to allow URLs with wildcard destiations on non web browsing ports

PhoneBoy — Wed, 26 Jun 2024 13:38:59 GMT

I double checked with R&D and confirmed that wildcards can be used in entries listed there (provided it’s something like *.example.com and not www.*.com, I.e. the wildcard is first).
This also requires Passive DNS Learning to be enabled, which requires the gateway to see all the DNS requests from the clients: https://support.checkpoint.com/results/sk/sk161612