Solved: Re: URLF Regular Expression

GigaYang · ‎2025-01-06

Hello everyone,
We have a website control requirement as follows:

https://www.example.com (Permit)
https://www.example.com/forum/popular/buzz?tab=popular(Block)

I plan to control it through HTTPS Inspection + URLF.

So I wrote a Regular Expression as follows:
\.example\.com\/forum\/popular\/buzz?tab=popular

But the result is a failure. Please tell me how to modify it.

Thanks

Timothy_Hall · ‎2025-01-06

Try this:

\.example\.com\/forum\/popular\/buzz\?tab\=popular

"=" is significant to regular expression matching for assignment and needs to be quoted. "?" is significant as well and although you don't strictly need to quote it with a "\" to make it work, doing so may improve performance slightly. If it still doesn't match try toggling the checkbox "URL is a regular expression" on the custom site/app object.

Edit: clarified what ? matches based on Bob's post

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

View solution in original post

the_rock · ‎2025-01-06

Hey @GigaYang

I would make sure rule to block comes first, or if you are allowed, send me actual sites directly and Im happy to test in the lab.

Andy

GigaYang · ‎2025-01-06

https://www.cmoney.tw/forum/popular/buzz?tab=popular

the_rock · ‎2025-01-06

So you want to do below?

block -> https://www.cmoney.tw/forum/popular/buzz?tab=popular

allow -> https://www.cmoney.tw

Right?

Andy

GigaYang · ‎2025-01-06

Hi Rock,

Yes, we need it.

the_rock · ‎2025-01-06

Will test it shortly and let you know.

Andy

the_rock · ‎2025-01-06

Hm, cant seem to block it, though I even made sure its not bypassed in inspection policy. Let me keep trying/

Andy

the_rock · ‎2025-01-06

I have a feeling it could be something with that site, cause every single time, no matter what "flavors" I try, it shows bypassed in https inspection, but so many different countries...Korea, Taiwan, USA...AND, on top of that, always different categories too. Though I blocked in in url layer and also inspected in https inspection policy.

Andy

Timothy_Hall · ‎2025-01-06

Assuming my alternate regex does not work and it always seems to Bypass anyway, I suppose it is possible that this server falls into the implied HTTPS Inspection exceptions. Try disabling it but be warned this will break a lot of stuff in a production environment:

https://support.checkpoint.com/results/sk/sk98655

Also I assume you are not using the Check Point-provided bypass object in your HTTPS Inspection policy, it could be in there too:

https://support.checkpoint.com/results/sk/sk163595

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

Lesley · ‎2025-01-06

Sometimes if you use regular expression it can impact gateway performance.

Make sure when you are done with the changes and pushed them to the firewall, to run a HCP health check.

Any incorrect configured expressions that could cause high load are listed in this report.

-------
If you like this post please give a thumbs up(kudo)! 🙂

GigaYang · ‎2025-01-06

Hi Lesley,

Thank you for your reminder.

Timothy_Hall · ‎2025-01-06

Try this:

\.example\.com\/forum\/popular\/buzz\?tab\=popular

"=" is significant to regular expression matching for assignment and needs to be quoted. "?" is significant as well and although you don't strictly need to quote it with a "\" to make it work, doing so may improve performance slightly. If it still doesn't match try toggling the checkbox "URL is a regular expression" on the custom site/app object.

Edit: clarified what ? matches based on Bob's post

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

the_rock · ‎2025-01-06

Just tried that too in the lab as regular expression as well, no joy...

GigaYang · ‎2025-01-06

Hi Rock,

Thanks for your kindly help.

the_rock · ‎2025-01-06

No worries, happy it worked for you! Maybe I did the wrong syntax in the lab.

Andy

the_rock · ‎2025-01-06

Would you mind sharing exact syntax you used? I would like to test it in the lab...not having much luck with ones Im trying.

Andy

the_rock · ‎2025-01-06

Never mind @GigaYang , I got it. It was being bypassed on financial services, as soon as I removed that, it was blocked. I just used below:

\.cmoney\.tw\/forum\/popular\/buzz\?tab\=popular

Cheers,

Andy

GigaYang · ‎2025-01-06

I have try that. It can block the URL. 😀

Bob_Zimmerman · ‎2025-01-06

? in a regular expression should match the previous element (typically a character, but can be a character class or a group) 0 or 1 times. For example, "https?" would match http or https. If you want to match a literal question mark in the input, you definitely need to escape the question mark in the expression (or put it in a character class, or replace it with a dot).

Timothy_Hall · ‎2025-01-06

Got it, thanks for the clarification!

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

GigaYang · ‎2025-01-07

After I turn on HTTPS Inspection. I found the cert expire date not match between PC browser and Gateway.

Has anyone encountered this situation?

the_rock · ‎2025-01-07

If page is blocked, you would not see the actual cmoney cert presented. I will send you some screenshots later from my lab.

Andy

GigaYang · ‎2025-01-07

Hi Rock,

I I noticed that HTTPS Inspection only changes some of the website credentials information seen by the user's browser. The issuer will be modified to be consistent with the HTTPS Inspection certificate, and the issuance expiration date will still be the information of the original real certificate.

the_rock · ‎2025-01-07

@GigaYang See if below post I made helps.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-lab-guide/m-p/214429#M40929

GigaYang · ‎2025-01-07

It is great. Thanks for your help. 😀

the_rock · ‎2025-01-07

I will send you some screenshots from my lab as well.

Andy

the_rock · ‎2025-01-07

I attached doc with some screenshots I took. Let me know if its not clear and I will do my best to help more.

Andy

benalastair · ‎2025-02-04

I'm also encountering this issue right now. I tried a similar approach using HTTPS Inspection + URLF but couldn't get the regular expression to work as expected.

Did you find a working solution, or is there a specific syntax adjustment needed for this case?

Timothy_Hall · ‎2025-02-05

Example?

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

benalastair · ‎2025-02-04

I'm also encountering this issue right now. I tried a similar approach using HTTPS Inspection + URLF but couldn't get the regular expression to work as expected. It reminds me of troubleshooting regular expressions in CapCut's video editing features—sometimes a small syntax issue can prevent effects or transitions from applying correctly. If you're looking for a more optimized editing experience on CapCut for pc, you could check out CapProCut APK. Did you find a working solution, or is there a specific syntax adjustment needed for this case?

Are you a member of CheckMates?

URLF Regular Expression