Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Network_M
Collaborator

How to block some https sites?

I have a rule in Checkpoint, in Policy tab:

Source: host (one pc with IP)

Destination: Internet

Services & Applications: denied_sites

Action: drop

denied_sites: custom site, which contains some urls.

I wrote both http://www.example.com, https://www.example.com

After installation policy, rule drops only http, but not https.

How can I make that rule worked for https too? (Without turning on https inspection)

I looked previous questions, but I didn't manage to find solution.

29 Replies
HristoGrigorov

Copy&paste from help:

In the URL List, enter the URLs.

  • Do not include http/https prefixes
  • The URL list supports the use of wild cards, for example to define the sub domains and paths of a top level domain. (*.checkpoint.com/*)
  • Select URLS are defined as Regular Expression to define more complex domain patterns, or for greater specificity.

    For example, if a news site has these links:

    https://www.news.com

    http://www.news.com

    To allow access only to the https link, use this regular expression:

    ^https:\/\/.*\.news\.com

    Note: The application or site URL defined by a regular expression must use the correct syntax.

Network_M
Collaborator

In url list, if I write *.example.com/* it gives error:

URL cannot contain the following substring: /*

Then I wrote *.example.com and it blocks only http, not https.

It cannot block https sites.

What else can be done?

0 Kudos
HristoGrigorov

Add this:

(^|.*\.)*example\.com

and make sure "URLs are defined as Regular Expression" is ticked.

But if the site is using SNI then you better follow SK mentioned bellow.

0 Kudos
Network_M
Collaborator

I have tried adding this and ticked as "Regular Expression".

I added some sites, not one.

https is not blocked still.

Simple Proxies may block https, why it is so difficult in Checkpoint?

Can Checkpoint block https?

0 Kudos
PhoneBoy
Admin
Admin

In addition to what Hristo Grigorov‌ said, you need to confirm what the DN of the certificate of the site you want to block is as that is what is matched.

Network_M
Collaborator

Do you mean that I should include full domain name of the certificate in URL list?

0 Kudos
PhoneBoy
Admin
Admin

Whatever it says in the DN of the certificate.

0 Kudos
Network_M
Collaborator

How to see DN of the certificate? I could not find

0 Kudos
HristoGrigorov

This is certificate DN:

This is certificate w/o SNI:

This is certificate with SNI:

0 Kudos
Network_M
Collaborator

How can I block https://z1.fm site for example?

0 Kudos
HristoGrigorov

^https:\/\/z1\.fm

Network_M
Collaborator

I have checked, it does not block. Any other solution?

HristoGrigorov

I am sorry mate, no idea what is wrong. It works for me here.

0 Kudos
Network_M
Collaborator

Thank you anyway mate! Then I have to write to tech.support.

PhoneBoy
Admin
Admin

The CN of the certificate for z1.fm is sni.cloudflaressl.com, as shown below:

This means you cannot currently use the URL z1.fm to block, as we will see sni.cloudflatessl.com, at least in the manner described.

Right now, you can do one of two things:

In general, we do plan to improve our support for SNI in the near future.

Network_M
Collaborator

Ok, can we block that site by its IP addresses then?

0 Kudos
PhoneBoy
Admin
Admin

You can, but it's possible you will also block some legitimate sites in the process (not to mention the IP could change, being behind CloudFlare).

Is there some reason you can't use the Application Control Signature Tool to create a signature for the site?

0 Kudos
Network_M
Collaborator

The reason is that I don't know how to use Application Control Signature Tool.

Is it possible to create custom signature for any site?

I would appreciate if you share one example how to create custom signature step by step.

Thanks.

0 Kudos
PhoneBoy
Admin
Admin

It's a pretty straightforward Windows app with documentation that can help you.

This is what I created specifically for the site you mentioned:

Import the app into R80.x Management:

Create a rule based on the signature and push policy:

And, sure enough, it works. 

No HTTPS Inspection required.

Network_M
Collaborator

Very cool. Where can I download that Windows app?

0 Kudos
PhoneBoy
Admin
Admin

It is linked in my previous comments.

0 Kudos
Maarten_Sjouw
Champion
Champion

Can this exported Application also be used with R77.30?

Regards, Maarten
0 Kudos
PhoneBoy
Admin
Admin

The tool produces R77.x and R80.x versions of the application definition.

0 Kudos
Network_M
Collaborator

I could not find link to that app. Would you provide please?

0 Kudos
PhoneBoy
Admin
Admin

Adam12
Explorer

Hey PhoneBoy,

Maybe you could help me out, not sure if I am missing a step, We have https inspection enabled, though in bypass mode, have sites that are not being blocked on https, but are blocked for http. I created an app with the signature tool, imported it, (R77.30), I see it in the applications/sites, but in the policy it does not show up. I have installed database and pushed policy, but it still doesn't populate in the policy for an app to added to a rule.

0 Kudos
Kosin_Usuwanthi
Collaborator

Custom URL filtering by SNI

sk103051

0 Kudos
Maarten_Sjouw
Champion
Champion

What we experienced is that putting more than 1 line in the urls field will break the https recognition abilities.

Try to change the custom application to only one url like example\.com as a regular expression and check to see if https categorization is turned on when you do not have https inspection enabled.

Regards, Maarten
Danny
Champion Champion
Champion

Is HTTPS inspection enabled? If not, is the first checkbox for categorization of HTTPS websites checked within the engine settings?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events