topic Re: best practices for blocking URLs in a scenario where resources have different URLs but the same in General Topics

best practices for blocking URLs in a scenario where resources have different URLs but the same IP

Oliver_222 — Mon, 18 Aug 2025 12:23:04 GMT

Please tell me the best practices for blocking URLs in a scenario where two resources have different URLs but the same IP.
The problem is that we block a malicious resource using a domain object in the access rules, but we see in the logs that this rule also blocks a legitimate resource.

Thank you

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

Chris_Atkinson — Mon, 18 Aug 2025 14:04:34 GMT

Is the URL filtering blade licensed / used for this gateway?

This works differently than your current approach (DNS objects in FW blade).

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

Lesley — Mon, 18 Aug 2025 13:38:26 GMT

In case of 443, the fw will need to be able to see the cn in certificate or do full https inspection.

Based on this you can create domain based object and the firewall will resolve it for you.

Make sure you have correct blades: url filtering and enable either categorize https or full https inspection.

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

the_rock — Mon, 18 Aug 2025 13:39:57 GMT

Can you give an example? I can test it in my https inspection lab.

Andy

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

Chris_Atkinson — Mon, 18 Aug 2025 14:03:37 GMT

I'm not sure that's needed it appears simply about how DNS objects function, they are resolved to IPs.

URL filtering works differently by comparison.

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

the_rock — Mon, 18 Aug 2025 14:04:25 GMT

Right, thats true, I just wanted to see if I can simulate it in the lab.

Andy

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

Oliver_222 — Mon, 18 Aug 2025 14:18:50 GMT

minboth[.]click is a domain that is blocked by an access rule.

cdn.stepik.net is a legitimate resource with the same IP that should not be blocked, but it is blocked in our environment.

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

Oliver_222 — Mon, 18 Aug 2025 14:20:27 GMT

Yes, the URL Filtering blade is enabled and licensed

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

the_rock — Mon, 18 Aug 2025 14:25:29 GMT

Is https inspection enabled?

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

Oliver_222 — Mon, 18 Aug 2025 14:28:35 GMT

Blade is enabled.
Its settings have fail-close mode.
Also enabled checkboxes: Categorize HTTPS websites, Enforce safe search on search engines, Categorize cached pages and translated pages in search engines.
Added http, https, HTTPS_proxy, HTTP_proxy.

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

the_rock — Mon, 18 Aug 2025 14:45:41 GMT

Not sure how its configured under blades, but in my case, I always set it like below for url filtering:

fail mode -> block

categorization -> background

same for https inspection (under manage and settings -> blades)

Btw, just tested your scenario, works fine for me, no issues.

Andy

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

Chris_Atkinson — Mon, 18 Aug 2025 15:04:58 GMT

Can you share how that rule looks are you using the destination or services column?

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

PhoneBoy — Mon, 18 Aug 2025 15:07:13 GMT

Is your firewall in the path between clients and the DNS server they use?
If so, you might want to implement DNS Trap.
With Anti-Virus/Anti-Bot and DNS Trap configured, the malicious domain will resolve to the DNS Trap IP instead, which should be a harmless IP (the default IP provided is).

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

Oliver_222 — Thu, 21 Aug 2025 14:26:42 GMT

Yes, user requests to the DNS go through CheckPoint.
We thought about this option.
How should we configure the DNS Trap so that we can specify which URLs are malicious and which are safe? If I'm not mistaken, CheckPoint determines this itself.

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

Oliver_222 — Thu, 21 Aug 2025 14:28:59 GMT

We use the "Destination" column, which contains an object of the "Domains" type.

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

the_rock — Thu, 21 Aug 2025 14:31:40 GMT

Just MAKE SURE to NOT configure dns trap to any IP address used anywhere in the network.

Andy

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

Oliver_222 — Thu, 21 Aug 2025 14:35:52 GMT

Can you tell me how you tested it?
Did you enable HTTPS inspection and set the "Domains" object to ".cdn.stepik.net" in the allow rule and ".minboth.click" in the deny rule below?
I also want to mention that you should open the "stepik.org" website to see the redirect to cdn.stepik.net, which is blocked as minboth.click on CheckPoint.

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

the_rock — Thu, 21 Aug 2025 14:37:59 GMT

Yep, thats it. I wish I took a video or screenshot, apologies. My colleague is currently modifying our lab, since he has to put in more powerful firewall, so I cant access it at the moment, but thats the gist of it and yes, ssl inspection is on.

Andy

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

PhoneBoy — Thu, 21 Aug 2025 19:51:37 GMT

DNS Trap is a Threat Prevention feature.
Domains already flagged as malicious ones in ThreatCloud will be rewritten to the DNS Trap IP.
You can create exceptions in your Threat Prevention policy using Custom Application/Site objects.
"Inactive" means allow, "Prevent" means block.

Re: best practices for blocking URLs in a scenario where resources have different URLs but the same

Chris_Atkinson — Thu, 21 Aug 2025 23:26:19 GMT

You will likely need to switch to using URL filtering rather than Domain objects.

At a minimum you could try a URL filtering rule / Layer above your current rule with the domain object to allow sites that you don't want blocked by it but this may not be fool proof.