Yes, the URL Filtering blade is enabled and licensed

Blade is enabled.
Its settings have fail-close mode.
Also enabled checkboxes: Categorize HTTPS websites, Enforce safe search on search engines, Categorize cached pages and translated pages in search engines.
Added http, https, HTTPS_proxy, HTTP_proxy.

Not sure how its configured under blades, but in my case, I always set it like below for url filtering:

fail mode -> block

categorization -> background

same for https inspection (under manage and settings -> blades)

Btw, just tested your scenario, works fine for me, no issues.

Andy

Can you tell me how you tested it?
Did you enable HTTPS inspection and set the "Domains" object to ".cdn.stepik.net" in the allow rule and ".minboth.click" in the deny rule below?
I also want to mention that you should open the "stepik.org" website to see the redirect to cdn.stepik.net, which is blocked as minboth.click on CheckPoint.

Yep, thats it. I wish I took a video or screenshot, apologies. My colleague is currently modifying our lab, since he has to put in more powerful firewall, so I cant access it at the moment, but thats the gist of it and yes, ssl inspection is on.

Andy

I'm not sure that's needed it appears simply about how DNS objects function, they are resolved to IPs.

URL filtering works differently by comparison.

Right, thats true, I just wanted to see if I can simulate it in the lab.

Andy

minboth[.]click is a domain that is blocked by an access rule.

cdn.stepik.net is a legitimate resource with the same IP that should not be blocked, but it is blocked in our environment.

Is https inspection enabled?

Can you share how that rule looks are you using the destination or services column?

We use the "Destination" column, which contains an object of the "Domains" type.

You will likely need to switch to using URL filtering rather than Domain objects.

At a minimum you could try a URL filtering rule / Layer above your current rule with the domain object to allow sites that you don't want blocked by it but this may not be fool proof.

Yes, user requests to the DNS go through CheckPoint.
We thought about this option.
How should we configure the DNS Trap so that we can specify which URLs are malicious and which are safe? If I'm not mistaken, CheckPoint determines this itself.

Just MAKE SURE to NOT configure dns trap to any IP address used anywhere in the network.

Andy

DNS Trap is a Threat Prevention feature.
Domains already flagged as malicious ones in ThreatCloud will be rewritten to the DNS Trap IP.
You can create exceptions in your Threat Prevention policy using Custom Application/Site objects.
"Inactive" means allow, "Prevent" means block.