topic Re: Allowing access to a specific URL path in Firewall and Security Management

Allowing access to a specific URL path

JPR — Thu, 19 Dec 2024 10:29:20 GMT

Hello there,

I have a server behind a firewall that doesn't and mustn't full internet access.

However, it needs to be possible to use Copilot on it and thus needs access to some specific URL paths as listed here: https://docs.github.com/en/copilot/managing-copilot/managing-github-copilot-in-your-organization/configuring-your-proxy-server-or-firewall-for-copilot

As mentioned elsewhere on here HTTPS Inspection is needed in order to achieve that so that has been enabled.

As far as I can see I then should be able to whitelist these URL paths in the above link by using a "Custom Application Site/Group", however, I don't seem to be able get the syntax right.

So my question is:

- Is it possible in the way I have described it above to allow access to a specific URL path?

And if so, how should I make the "Custom Application Site/Group".

And of course, if it has to be done in another way, I'd like to know that as well 😉

Thanks and best regards!

Re: Allowing access to a specific URL path

AkosBakos — Thu, 19 Dec 2024 11:24:48 GMT

Hi JPR,

Yes you touch the neuralgic point, the HTTPs Inspection. You can have a test without enable this, but maybe the categorization won't work properly.

https://support.checkpoint.com/results/sk/sk92743

Feature - HTTPS Filtering

Categorization of HTTPS sites without HTTPS inspection (passive HTTPS). Supports URL Filtering on HTTPS traffic without HTTPS inspection.

To enable it, enable the URL Filtering blade:
In SmartDashboard, go to Application & URL Filtering tab -> Advanced -> Engine Settings -> Enable "Categorize HTTPS sites", and install Security Policy.

----------------------------------------

The custom group creation:

https://support.checkpoint.com/results/sk/sk165094

(this speaks for itself)

Akos

Re: Allowing access to a specific URL path

the_rock — Thu, 19 Dec 2024 15:57:24 GMT

I would follow what @AkosBakos suggested. I have fully working ssl inspection lab in R81.20 jumbo 92, so can test anything needed.

Andy

Re: Allowing access to a specific URL path

JPR — Fri, 20 Dec 2024 10:46:53 GMT

Thanks, that all seems to work.

However, getting the Regex right seems to be another issue

So I want to allow traffic to github.com/login/

So ideally I want to make sure that e.g. "maliciousgithub.com/login/" and "github.com/loginmalicious/" or a combination of these doesn't work, however, I'm really struggling to achieve that.

I have checked "URLs are defined as Reuglar Expressions" and tried "github\.com/login/" but that doesn't work. Using "github\.com/login" does - but then also "github\.com/login1" works supposedly because there is a site on their server with that name (if I try "github.com\.com/loginmalicious" it says "Not found" because it doesn't exist).

I'm trying my configuration with "curl -k https://github.com/login".

Hope it makes sense 🙂

Re: Allowing access to a specific URL path

the_rock — Fri, 20 Dec 2024 11:02:09 GMT

Just add custom application object with these 2 entries and it will work, I tested it in my lab.

Andy

*maliciousgithub.com/login/*

*github.com/loginmalicious/*

I never bother checking that option at the bottom for regular expression.

Re: Allowing access to a specific URL path

the_rock — Fri, 20 Dec 2024 12:07:34 GMT

Here is what Im referring to.

Andy

(view in My Videos)

Re: Allowing access to a specific URL path

AkosBakos — Fri, 20 Dec 2024 13:22:39 GMT

Hi, what was the conclusion? Did you set up the HTTPs Inspection?

Re: Allowing access to a specific URL path

JPR — Fri, 20 Dec 2024 13:55:57 GMT

Also to Andy,

Yeah, I got it to work, and also ended up not using regular expressions.

I've enabled HTTPSi for the server and then made a Custom Application Group like this and it seems to work:

Thanks for the help guys! 🙂

Re: Allowing access to a specific URL path

the_rock — Fri, 20 Dec 2024 13:57:10 GMT

Great job!

Andy