This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Neil_ZInk
Collaborator
‎2017-09-27 10:12 AM

Is there way to find out if site/ip is blocked by IPS/URLF via command line?

Dear Checkmates

 

Is there way to find out if site/ip is blocked by IPS/URLF via command line?

thanks

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2017-09-27 10:58 AM

In short: no.

  • IPS doesn't block specific sites or IPs to begin with, it's looking for malicious traffic patterns.
  • To determine this for URLF, you would need to know
    • What the category is (no way to query that via CLI currently)
    • What your policy is configured to block based on a number of factors

For URLF, you may be able to do it in SmartConsole using https://community.checkpoint.com/message/6551-packet-mode-a-new-way-of-searching-through-your-securi...

Can you describe your intended use case?

0 Kudos
Neil_ZInk
Collaborator
‎2017-09-27 11:57 AM

Our help desk is taking multiple tickets a day with basic question.  Are we blocking this site?

I want to create a self-help portal where the user enters the destination URL.  I want to automate the process to see if the URL and port are open or not.  If firewall is blocking the URL/port it would create ticket for the Cybersecurity team.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-09-27 12:31 PM
In response to Neil_ZInk

Currently there is no API to do what you want.

That said, you could simulate this with scripted calls to curl or similar to the destination URL from a system subject to the same URLF policy as your end users.

If curl is able to download the homepage from the URL, then you're not blocking access to it.

If curl returns some sort of error or gets a UserCheck page, then you are and a ticket should be created. 

The trick is in parsing the output of curl to figure out which result is which.

0 Kudos
Vladimir
Champion
Champion
‎2017-10-01 03:03 PM
In response to PhoneBoy

I suspect that the SmartEvent could be used to determine when the URLF and App Control block sites and trigger notification events for the CyberSec team by either email, snmp traps etc.

Vijay_Kamble1
Explorer
‎2017-10-04 11:18 AM

yes Correct 

0 Kudos
Sal_Previtera
Collaborator
‎2017-11-10 12:17 PM

I understand the Neil question and frustration, I try the best to describe the situation and please do not reply it work as intended...and you need to enable HTTPS inspection.

We got the same issues with URL blocked....unnecessary calls to our help desk.

Assuming we block you  "youtube.com", if the user is accessing the site with HTTP then the wonderful "blocked message page" is displayed. That is great and the user know the paged is blocked...end of story.

Now,  the user or  most Internet pages are redirected to "HTTPS"...from google to youtube to your banking.....etc,etc.

https://youtube.com is still blocked by URL filtering without HTTPS inspection ...known this  by searching at Smartlog, Tracker, Events....

but NO wonderful blocked page is display to the user.....just a "Secure Connection Failed" is displayed, prompting the user to initiate a call to the help desk.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-11-10 12:30 PM
In response to Sal_Previtera

If you want a block page for HTTPS sites to show to the end user, you will have to enable HTTPS Inspection.

If you don't really want to do HTTPS Inspection, I suppose you could simply enable the feature with any "any any bypass" rule.

However, I have not tried this.

Either way, HTTPS Inspection needs to be enabled in order to show a block page for HTTPS sites to end users.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events