This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
GigaYang
Collaborator
‎2025-01-06 10:24 AM
Jump to solution

URLF Regular Expression

Hello everyone,
We have a website control requirement as follows:

https://www.example.com (Permit)
https://www.example.com/forum/popular/buzz?tab=popular(Block)

I plan to control it through HTTPS Inspection + URLF.

So I wrote a Regular Expression as follows:
\.example\.com\/forum\/popular\/buzz?tab=popular

But the result is a failure. Please tell me how to modify it.

Thanks

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2025-01-06 12:09 PM
Jump to solution

Try this:

\.example\.com\/forum\/popular\/buzz\?tab\=popular

"=" is significant to regular expression matching for assignment and needs to be quoted.  "?" is significant as well and although you don't strictly need to quote it with a "\" to make it work, doing so may improve performance slightly.  If it still doesn't match try toggling the checkbox "URL is a regular expression" on the custom site/app object.

Edit: clarified what ? matches based on Bob's post

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

29 Replies
the_rock
Legend
Legend
‎2025-01-06 10:29 AM
Jump to solution

Hey @GigaYang 

I would make sure rule to block comes first, or if you are allowed, send me actual sites directly and Im happy to test in the lab.

Andy

0 Kudos
(1)
GigaYang
Collaborator
‎2025-01-06 11:03 AM
In response to the_rock
Jump to solution

https://www.cmoney.tw/forum/popular/buzz?tab=popular

0 Kudos
the_rock
Legend
Legend
‎2025-01-06 11:05 AM
In response to GigaYang
Jump to solution

So you want to do below?

block -> https://www.cmoney.tw/forum/popular/buzz?tab=popular

allow -> https://www.cmoney.tw

Right?

Andy

0 Kudos
GigaYang
Collaborator
‎2025-01-06 11:13 AM
In response to the_rock
Jump to solution

Hi Rock,

Yes, we need it.

0 Kudos
the_rock
Legend
Legend
‎2025-01-06 11:15 AM
In response to GigaYang
Jump to solution

Will test it shortly and let you know.

Andy

the_rock
Legend
Legend
‎2025-01-06 12:07 PM
In response to GigaYang
Jump to solution

Hm, cant seem to block it, though I even made sure its not bypassed in inspection policy. Let me keep trying/

Andy

(1)
the_rock
Legend
Legend
‎2025-01-06 12:31 PM
In response to GigaYang
Jump to solution

I have a feeling it could be something with that site, cause every single time, no matter what "flavors" I try, it shows bypassed in https inspection, but so many different countries...Korea, Taiwan, USA...AND, on top of that, always different categories too. Though I blocked in in url layer and also inspected in https inspection policy.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2025-01-06 12:40 PM
In response to the_rock
Jump to solution

Assuming my alternate regex does not work and it always seems to Bypass anyway, I suppose it is possible that this server falls into the implied HTTPS Inspection exceptions.  Try disabling it but be warned this will break a lot of stuff in a production environment:

https://support.checkpoint.com/results/sk/sk98655

Also I assume you are not using the Check Point-provided bypass object in your HTTPS Inspection policy, it could be in there too:

https://support.checkpoint.com/results/sk/sk163595

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Lesley
Authority Authority
Authority
‎2025-01-06 11:16 AM
Jump to solution

Sometimes if you use regular expression it can impact gateway performance.

Make sure when you are done with the changes and pushed them to the firewall, to run a HCP health check.

Any incorrect configured expressions that could cause high load are listed in this report. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
GigaYang
Collaborator
‎2025-01-06 11:20 AM
In response to Lesley
Jump to solution

Hi Lesley,

Thank you for your reminder.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2025-01-06 12:09 PM
Jump to solution

Try this:

\.example\.com\/forum\/popular\/buzz\?tab\=popular

"=" is significant to regular expression matching for assignment and needs to be quoted.  "?" is significant as well and although you don't strictly need to quote it with a "\" to make it work, doing so may improve performance slightly.  If it still doesn't match try toggling the checkbox "URL is a regular expression" on the custom site/app object.

Edit: clarified what ? matches based on Bob's post

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
Legend
Legend
‎2025-01-06 12:41 PM
In response to Timothy_Hall
Jump to solution

Just tried that too in the lab as regular expression as well, no joy...

GigaYang
Collaborator
‎2025-01-06 12:53 PM
In response to the_rock
Jump to solution

Hi Rock,

Thanks for your kindly help.

0 Kudos
the_rock
Legend
Legend
‎2025-01-06 12:55 PM
In response to GigaYang
Jump to solution

No worries, happy it worked for you! Maybe I did the wrong syntax in the lab.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-01-06 02:19 PM
In response to GigaYang
Jump to solution

Would you mind sharing exact syntax you used? I would like to test it in the lab...not having much luck with ones Im trying.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-01-06 02:48 PM
In response to the_rock
Jump to solution

Never mind @GigaYang , I got it. It was being bypassed on financial services, as soon as I removed that, it was blocked. I just used below:

\.cmoney\.tw\/forum\/popular\/buzz\?tab\=popular

Cheers,

Andy

0 Kudos
GigaYang
Collaborator
‎2025-01-06 12:53 PM
In response to Timothy_Hall
Jump to solution

I have try that. It can block the URL. 😀

 

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2025-01-06 01:11 PM
In response to Timothy_Hall
Jump to solution

? in a regular expression should match the previous element (typically a character, but can be a character class or a group) 0 or 1 times. For example, "https?" would match http or https. If you want to match a literal question mark in the input, you definitely need to escape the question mark in the expression (or put it in a character class, or replace it with a dot).

Timothy_Hall
Legend Legend
Legend
‎2025-01-06 05:50 PM
In response to Bob_Zimmerman
Jump to solution

Got it, thanks for the clarification!

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
GigaYang
Collaborator
‎2025-01-07 12:32 AM
In response to Timothy_Hall
Jump to solution

After I turn on HTTPS Inspection. I found the cert expire date not match between PC browser and  Gateway.

Has anyone encountered this situation?

Preview file
61 KB
Preview file
48 KB
0 Kudos
the_rock
Legend
Legend
‎2025-01-07 03:14 AM
In response to GigaYang
Jump to solution

If page is blocked, you would not see the actual cmoney cert presented. I will send you some screenshots later from my lab.

Andy

0 Kudos
GigaYang
Collaborator
‎2025-01-07 03:36 AM
In response to the_rock
Jump to solution

Hi Rock,

I I noticed that HTTPS Inspection only changes some of the website credentials information seen by the user's browser. The issuer will be modified to be consistent with the HTTPS Inspection certificate, and the issuance expiration date will still be the information of the original real certificate.

0 Kudos
the_rock
Legend
Legend
‎2025-01-07 03:38 AM
In response to GigaYang
Jump to solution

@GigaYang See if below post I made helps.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-lab-guide/m-p/214429#M40929

(1)
GigaYang
Collaborator
‎2025-01-07 03:44 AM
In response to the_rock
Jump to solution

It is great. Thanks for your help. 😀

0 Kudos
the_rock
Legend
Legend
‎2025-01-07 04:10 AM
In response to GigaYang
Jump to solution

I will send you some screenshots from my lab as well.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-01-07 04:40 AM
In response to GigaYang
Jump to solution

I attached doc with some screenshots I took. Let me know if its not clear and I will do my best to help more.

Andy

Preview file
612 KB
0 Kudos
benalastair
Explorer
‎2025-02-04 06:36 AM
Jump to solution

I'm also encountering this issue right now. I tried a similar approach using HTTPS Inspection + URLF but couldn't get the regular expression to work as expected.

Did you find a working solution, or is there a specific syntax adjustment needed for this case?

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2025-02-05 01:45 AM
In response to benalastair
Jump to solution

Example?

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
benalastair
Explorer
‎2025-02-04 06:37 AM
Jump to solution

I'm also encountering this issue right now. I tried a similar approach using HTTPS Inspection + URLF but couldn't get the regular expression to work as expected. It reminds me of troubleshooting regular expressions in CapCut's video editing features—sometimes a small syntax issue can prevent effects or transitions from applying correctly. If you're looking for a more optimized editing experience on CapCut for pc, you could check out CapProCut APK. Did you find a working solution, or is there a specific syntax adjustment needed for this case?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events