Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CP-NDA
Collaborator

Custom Application Control - Wildcard

Hi,

 

We have a list of Whilisted URL for HTTPS bypass. The list contains about 300 URL

Since we upgrader to R80.30 or 80.40 (don't remember exactly) we have an warning message when trying to edit this list refering to SK165094

This is mainly due to the fact that this list of URL is not absed on Regex and contains * at almost each line

I've read multiple thread and SK but it's still confusing. We are using HTTPS Inspection for some networks and HTTPS Categorization for others networks. Everything is running under R80.40 T91

 

Is it better (in terms of performance ) to use Regex ?

If regex are used and if we want to unblock www.example.com, sub.example.com and https://example.com what are the suggested regex ?

\/example\.com

\.example\.com

 

or  without regex

example.com

*.example.com

 

Thank you

3 Replies
Trevor_Bruss
Contributor

I've used both in the past. I also wonder if one is preferred over the other. I've usually done the later (without regex) due to simplicity and also that I do not agree with the Regex expressions that Checkpoint feels are best practice in sk165094.

 

The reason for that belief is because there is no termination of the expression. That is to say, if I'm only looking for example.com in the URL or SNI, then what is stop the regex from matching on www.example.com.bad.domain.com. The regex expression \.example.\com will match on that domain even though it could be a bad site. 

 

I really think the regex should at least have a terminator on it, like \.example.\com(\/|$) which may work better on SNI hosts. That at least makes it match for what you want and either a backslash after it or nothing else. Even that is not perfect as you could still match on an HTTP URL, something like http://badwebsite.com/www.example.com/.

 

Again, one of the reasons I still favor the non-regex version of these filters.

 

0 Kudos
Tobias_Moritz
Advisor

Regarding the termination on the right side of the expression, there is a sk for that: sk174194.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events