cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Custom URL matching with HTTPS categorization

Jump to solution

Hi,

we are still having issues with rules using custom URLs matching for HTTPS requests. It is working *sometimes*, but most often it is not working (rules doesn't match).

We are using HTTPS categorization only, as HTTPS inspection introduced other issues to us (nothing to discuss here).

From my understanding, while having HTTPS categorization in place, the firewall should match the URL against the CN of the SSL certificate of the site being accessed.

This indeed seems to work ok for cases where the CN is just a plain string. But for a wildcard certificate, it is apparently not working as expected. An actual example:

Site we would like the rule to match: https://www.docker.com/

SSL certificate CN of this site is "*.docker.com", also in the certificate there is a "Subject Alternative Name" attribute including "docker.io".

In the URL object on the firewall we used regex like ".*docker\.com.*" (which should match everything containing docker.com). But rule doesn't match.

Please clarify the expected behavior, because I couldn't find anything in documentation:

  • How is a site's wildcard certificate CN (eg. "*.docker.com") matched against the string in the custom URL object? Is the star in the CN treated as wildcard or just as a character without special meaning?
  • Is the SSL certificate's SAN (Subject Alternative Name) taken into account for matching at all?
  • If the latter is not the case, are there plans to improve matching to take it into account?

Together with support we got the rule working once - by adding ".*docker\.io.*" to the URL regex, but I am in doubt that this fixed the root cause. After some time the rule stopped working again without any change done on the firewall.

0 Kudos
1 Solution

Accepted Solutions
Admin
Admin

Re: Custom URL matching with HTTPS categorization

Jump to solution

Currently we only match the CN of the certificate, not the SNI.

There is a customer-specific release for R80.10 that incorporates support for matching against SNI.

Please check with your local Check Point office for further details.

You might try using the Application Control Signature Tool: Signature Tool for custom Application Control and URL Filtering applications 

6 Replies

Re: Custom URL matching with HTTPS categorization

Jump to solution

We are having same kind of issues in our environment. Without HTTPs inspection it will not work as expected on 100%. Some websites are categorized properly, but some of them doesn’t match at all even with wildcards.Also using regex without HTTPS inspection is not recommended way to define custom app object

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...


0 Kudos

Re: Custom URL matching with HTTPS categorization

Jump to solution

This is funny, because Check Point support was suggesting to USE regex.

0 Kudos
Admin
Admin

Re: Custom URL matching with HTTPS categorization

Jump to solution

Currently we only match the CN of the certificate, not the SNI.

There is a customer-specific release for R80.10 that incorporates support for matching against SNI.

Please check with your local Check Point office for further details.

You might try using the Application Control Signature Tool: Signature Tool for custom Application Control and URL Filtering applications 

Re: Custom URL matching with HTTPS categorization

Jump to solution

Thanks, I (or let's say my users) would really appreciate if the SNI matching would make the way into the GA release. Is there any reason against? I will ask my Check Point contact about this also.

Indeed, using the ACST tool it is possible to check also SNI. I will give it a try.

0 Kudos
Highlighted
Admin
Admin

Re: Custom URL matching with HTTPS categorization

Jump to solution

I assume that we will bring this support into the maintrain, but not sure of the timelines on that. 

0 Kudos
sajin
Iron

Re: Custom URL matching with HTTPS categorization

Jump to solution

Local Checkpoint had provided the SNI wrapper HOTFIX for blocking the HTTPS sites  and we are doing "Categorize HTTPS websites" not HTTPS Inspection. It worked after the installation with Take 154 and even the file had been added for BOOT SURVIVAL. After a week related some other troubleshooting i had done a reboot and the SNI feature stopped working.

Tags (1)
0 Kudos