Solved: Re: URLF Regular Expression

GigaYang

Hello everyone,
We have a website control requirement as follows:

https://www.example.com (Permit)
https://www.example.com/forum/popular/buzz?tab=popular(Block)

I plan to control it through HTTPS Inspection + URLF.

So I wrote a Regular Expression as follows:
\.example\.com\/forum\/popular\/buzz?tab=popular

But the result is a failure. Please tell me how to modify it.

Thanks

Timothy_Hall

Try this:

\.example\.com\/forum\/popular\/buzz\?tab\=popular

"=" is significant to regular expression matching for assignment and needs to be quoted. "?" is significant as well and although you don't strictly need to quote it with a "\" to make it work, doing so may improve performance slightly. If it still doesn't match try toggling the checkbox "URL is a regular expression" on the custom site/app object.

Edit: clarified what ? matches based on Bob's post

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

the_rock

Hey @GigaYang

I would make sure rule to block comes first, or if you are allowed, send me actual sites directly and Im happy to test in the lab.

Andy

GigaYang

https://www.cmoney.tw/forum/popular/buzz?tab=popular

the_rock

So you want to do below?

block -> https://www.cmoney.tw/forum/popular/buzz?tab=popular

allow -> https://www.cmoney.tw

Right?

Andy

GigaYang

Hi Rock,

Yes, we need it.

the_rock

Will test it shortly and let you know.

Andy

the_rock

Hm, cant seem to block it, though I even made sure its not bypassed in inspection policy. Let me keep trying/

Andy

the_rock

I have a feeling it could be something with that site, cause every single time, no matter what "flavors" I try, it shows bypassed in https inspection, but so many different countries...Korea, Taiwan, USA...AND, on top of that, always different categories too. Though I blocked in in url layer and also inspected in https inspection policy.

Andy

Timothy_Hall

Assuming my alternate regex does not work and it always seems to Bypass anyway, I suppose it is possible that this server falls into the implied HTTPS Inspection exceptions. Try disabling it but be warned this will break a lot of stuff in a production environment:

https://support.checkpoint.com/results/sk/sk98655

Also I assume you are not using the Check Point-provided bypass object in your HTTPS Inspection policy, it could be in there too:

https://support.checkpoint.com/results/sk/sk163595

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Lesley

Sometimes if you use regular expression it can impact gateway performance.

Make sure when you are done with the changes and pushed them to the firewall, to run a HCP health check.

Any incorrect configured expressions that could cause high load are listed in this report.

-------
If you like this post please give a thumbs up(kudo)! 🙂

GigaYang

Hi Lesley,

Thank you for your reminder.

Timothy_Hall

Try this:

\.example\.com\/forum\/popular\/buzz\?tab\=popular

"=" is significant to regular expression matching for assignment and needs to be quoted. "?" is significant as well and although you don't strictly need to quote it with a "\" to make it work, doing so may improve performance slightly. If it still doesn't match try toggling the checkbox "URL is a regular expression" on the custom site/app object.

Edit: clarified what ? matches based on Bob's post

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

the_rock

Just tried that too in the lab as regular expression as well, no joy...

GigaYang

Hi Rock,

Thanks for your kindly help.

the_rock

No worries, happy it worked for you! Maybe I did the wrong syntax in the lab.

Andy

the_rock

Would you mind sharing exact syntax you used? I would like to test it in the lab...not having much luck with ones Im trying.

Andy

the_rock

Never mind @GigaYang , I got it. It was being bypassed on financial services, as soon as I removed that, it was blocked. I just used below:

\.cmoney\.tw\/forum\/popular\/buzz\?tab\=popular

Cheers,

Andy

GigaYang

I have try that. It can block the URL. 😀

Bob_Zimmerman

? in a regular expression should match the previous element (typically a character, but can be a character class or a group) 0 or 1 times. For example, "https?" would match http or https. If you want to match a literal question mark in the input, you definitely need to escape the question mark in the expression (or put it in a character class, or replace it with a dot).

Timothy_Hall

Got it, thanks for the clarification!

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

GigaYang

After I turn on HTTPS Inspection. I found the cert expire date not match between PC browser and Gateway.

Has anyone encountered this situation?

the_rock

If page is blocked, you would not see the actual cmoney cert presented. I will send you some screenshots later from my lab.

Andy

GigaYang

Hi Rock,

I I noticed that HTTPS Inspection only changes some of the website credentials information seen by the user's browser. The issuer will be modified to be consistent with the HTTPS Inspection certificate, and the issuance expiration date will still be the information of the original real certificate.

the_rock

@GigaYang See if below post I made helps.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-lab-guide/m-p/214429#M40929

GigaYang

It is great. Thanks for your help. 😀

the_rock

I will send you some screenshots from my lab as well.

Andy

the_rock

I attached doc with some screenshots I took. Let me know if its not clear and I will do my best to help more.

Andy

Are you a member of CheckMates?

URLF Regular Expression