Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Collaborator

Is there way to find out if site/ip is blocked by IPS/URLF via command line?

Dear Checkmates

 

Is there way to find out if site/ip is blocked by IPS/URLF via command line?

thanks

0 Kudos
Reply
7 Replies
Admin
Admin

In short: no.

  • IPS doesn't block specific sites or IPs to begin with, it's looking for malicious traffic patterns.
  • To determine this for URLF, you would need to know
    • What the category is (no way to query that via CLI currently)
    • What your policy is configured to block based on a number of factors

For URLF, you may be able to do it in SmartConsole using https://community.checkpoint.com/message/6551-packet-mode-a-new-way-of-searching-through-your-securi...

Can you describe your intended use case?

0 Kudos
Reply
Collaborator

Our help desk is taking multiple tickets a day with basic question.  Are we blocking this site?

I want to create a self-help portal where the user enters the destination URL.  I want to automate the process to see if the URL and port are open or not.  If firewall is blocking the URL/port it would create ticket for the Cybersecurity team.

0 Kudos
Reply
Admin
Admin

Currently there is no API to do what you want.

That said, you could simulate this with scripted calls to curl or similar to the destination URL from a system subject to the same URLF policy as your end users.

If curl is able to download the homepage from the URL, then you're not blocking access to it.

If curl returns some sort of error or gets a UserCheck page, then you are and a ticket should be created. 

The trick is in parsing the output of curl to figure out which result is which.

0 Kudos
Reply
Champion
Champion

I suspect that the SmartEvent could be used to determine when the URLF and App Control block sites and trigger notification events for the CyberSec team by either email, snmp traps etc.

Explorer

yes Correct 

0 Kudos
Reply
Contributor

I understand the Neil question and frustration, I try the best to describe the situation and please do not reply it work as intended...and you need to enable HTTPS inspection.

We got the same issues with URL blocked....unnecessary calls to our help desk.

Assuming we block you  "youtube.com", if the user is accessing the site with HTTP then the wonderful "blocked message page" is displayed. That is great and the user know the paged is blocked...end of story.

Now,  the user or  most Internet pages are redirected to "HTTPS"...from google to youtube to your banking.....etc,etc.

https://youtube.com is still blocked by URL filtering without HTTPS inspection ...known this  by searching at Smartlog, Tracker, Events....

but NO wonderful blocked page is display to the user.....just a "Secure Connection Failed" is displayed, prompting the user to initiate a call to the help desk.

0 Kudos
Reply
Admin
Admin

If you want a block page for HTTPS sites to show to the end user, you will have to enable HTTPS Inspection.

If you don't really want to do HTTPS Inspection, I suppose you could simply enable the feature with any "any any bypass" rule.

However, I have not tried this.

Either way, HTTPS Inspection needs to be enabled in order to show a block page for HTTPS sites to end users.

0 Kudos
Reply