Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

How do you block IP based URL names?

Sigh...  This would be easy if you were blocking uncategorized URL sites.  http://8.8.8.8. would be blocked.  But we cannot block uncategorized.  In the logs, the Application Name shows the name as an IP.  There just does not seem to be a method to drop it.  Am I missing it?

6 Replies
Highlighted
Pearl

You should be able to define custom Applications and use IPs in URLs.

If you want to be less specific and simply drop any URL containing IP address, you should be able to do so by defining the custom App's URL as REGEX:

Not being regex expert, I cannot be more specific.

There used to be "All Unknown" or some such object in R77.XX, but it is no longer available.

0 Kudos
Highlighted
Admin
Admin

There is an "uncategorized" tag you can add to the rulebase to block/allow based on that (even in R80.x).

Also, in R80.x, there is a "Unknown Traffic" App Control signature that matches everything that isn't HTTP that doesn't match any other signature.

0 Kudos
Highlighted
Pearl

Thank you for bringing these to my attention.

I'd like to learn more about their use cases and consequences.

0 Kudos
Highlighted

IP V4 has about 4 billion possible addresses.  It will take awhile to add them to that custom group.  Let alone that I have people already choking on the number of objects we have now.  Smiley Happy

The point is to drop IP address URL strings.  After they figure that out that decimal addresses work to, then we will have to block those too.

0 Kudos
Highlighted
Pearl

When using regular expressions, you are performing pattern matching. Use 0-9 or 0-9,0-9 or 0-9,0-0,0-9 for each octet, not actually adding those by hand.

If you are simply trying to discriminate between normal URLs and those containing IPs, this should allow https://www.checkpoint.com but block https://104.76.111.191/

Highlighted
Nickel

I think something like this might work - \/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+

0 Kudos