Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
George_Ellis
Advisor

How do you block IP based URL names?

Sigh...  This would be easy if you were blocking uncategorized URL sites.  http://8.8.8.8. would be blocked.  But we cannot block uncategorized.  In the logs, the Application Name shows the name as an IP.  There just does not seem to be a method to drop it.  Am I missing it?

6 Replies
Vladimir
Champion
Champion

You should be able to define custom Applications and use IPs in URLs.

If you want to be less specific and simply drop any URL containing IP address, you should be able to do so by defining the custom App's URL as REGEX:

Not being regex expert, I cannot be more specific.

There used to be "All Unknown" or some such object in R77.XX, but it is no longer available.

0 Kudos
PhoneBoy
Admin
Admin

There is an "uncategorized" tag you can add to the rulebase to block/allow based on that (even in R80.x).

Also, in R80.x, there is a "Unknown Traffic" App Control signature that matches everything that isn't HTTP that doesn't match any other signature.

0 Kudos
Vladimir
Champion
Champion

Thank you for bringing these to my attention.

I'd like to learn more about their use cases and consequences.

0 Kudos
George_Ellis
Advisor

IP V4 has about 4 billion possible addresses.  It will take awhile to add them to that custom group.  Let alone that I have people already choking on the number of objects we have now.  Smiley Happy

The point is to drop IP address URL strings.  After they figure that out that decimal addresses work to, then we will have to block those too.

0 Kudos
Vladimir
Champion
Champion

When using regular expressions, you are performing pattern matching. Use 0-9 or 0-9,0-9 or 0-9,0-0,0-9 for each octet, not actually adding those by hand.

If you are simply trying to discriminate between normal URLs and those containing IPs, this should allow https://www.checkpoint.com but block https://104.76.111.191/

Alex_Weldon
Contributor

I think something like this might work - \/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events