This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Network_M
Collaborator
‎2019-01-13 01:29 AM

How to block some https sites?

I have a rule in Checkpoint, in Policy tab:

Source: host (one pc with IP)

Destination: Internet

Services & Applications: denied_sites

Action: drop

denied_sites: custom site, which contains some urls.

I wrote both http://www.example.com, https://www.example.com

After installation policy, rule drops only http, but not https.

How can I make that rule worked for https too? (Without turning on https inspection)

I looked previous questions, but I didn't manage to find solution.

29 Replies
HristoGrigorov
MVP Gold
MVP Gold
‎2019-01-13 05:07 AM

Copy&paste from help:

In the URL List, enter the URLs.

  • Do not include http/https prefixes
  • The URL list supports the use of wild cards, for example to define the sub domains and paths of a top level domain. (*.checkpoint.com/*)
  • Select URLS are defined as Regular Expression to define more complex domain patterns, or for greater specificity.

    For example, if a news site has these links:

    https://www.news.com

    http://www.news.com

    To allow access only to the https link, use this regular expression:

    ^https:\/\/.*\.news\.com

    Note: The application or site URL defined by a regular expression must use the correct syntax.

Network_M
Collaborator
‎2019-01-16 10:47 PM
In response to HristoGrigorov

In url list, if I write *.example.com/* it gives error:

URL cannot contain the following substring: /*

Then I wrote *.example.com and it blocks only http, not https.

It cannot block https sites.

What else can be done?

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2019-01-16 10:56 PM
In response to Network_M

Add this:

(^|.*\.)*example\.com

and make sure "URLs are defined as Regular Expression" is ticked.

But if the site is using SNI then you better follow SK mentioned bellow.

0 Kudos
Network_M
Collaborator
‎2019-01-17 01:40 AM
In response to HristoGrigorov

I have tried adding this and ticked as "Regular Expression".

I added some sites, not one.

https is not blocked still.

Simple Proxies may block https, why it is so difficult in Checkpoint?

Can Checkpoint block https?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-13 10:08 AM

In addition to what Hristo Grigorov‌ said, you need to confirm what the DN of the certificate of the site you want to block is as that is what is matched.

Network_M
Collaborator
‎2019-01-16 10:48 PM
In response to PhoneBoy

Do you mean that I should include full domain name of the certificate in URL list?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-17 10:00 AM
In response to Network_M

Whatever it says in the DN of the certificate.

0 Kudos
Network_M
Collaborator
‎2019-01-17 07:59 PM
In response to PhoneBoy

How to see DN of the certificate? I could not find

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2019-01-17 08:57 PM
In response to Network_M

This is certificate DN:

This is certificate w/o SNI:

This is certificate with SNI:

0 Kudos
Network_M
Collaborator
‎2019-01-24 04:16 AM
In response to HristoGrigorov

How can I block https://z1.fm site for example?

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2019-01-24 04:29 AM
In response to Network_M

^https:\/\/z1\.fm

Network_M
Collaborator
‎2019-01-24 10:52 PM
In response to HristoGrigorov

I have checked, it does not block. Any other solution?

HristoGrigorov
MVP Gold
MVP Gold
‎2019-01-24 11:03 PM
In response to Network_M

I am sorry mate, no idea what is wrong. It works for me here.

0 Kudos
Network_M
Collaborator
‎2019-01-24 11:25 PM
In response to HristoGrigorov

Thank you anyway mate! Then I have to write to tech.support.

PhoneBoy
Admin
Admin
‎2019-01-25 04:30 PM
In response to Network_M

The CN of the certificate for z1.fm is sni.cloudflaressl.com, as shown below:

This means you cannot currently use the URL z1.fm to block, as we will see sni.cloudflatessl.com, at least in the manner described.

Right now, you can do one of two things:

In general, we do plan to improve our support for SNI in the near future.

Network_M
Collaborator
‎2019-01-26 10:21 PM
In response to PhoneBoy

Ok, can we block that site by its IP addresses then?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-26 11:55 PM
In response to Network_M

You can, but it's possible you will also block some legitimate sites in the process (not to mention the IP could change, being behind CloudFlare).

Is there some reason you can't use the Application Control Signature Tool to create a signature for the site?

0 Kudos
Network_M
Collaborator
‎2019-01-27 11:20 PM
In response to PhoneBoy

The reason is that I don't know how to use Application Control Signature Tool.

Is it possible to create custom signature for any site?

I would appreciate if you share one example how to create custom signature step by step.

Thanks.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-28 05:37 AM
In response to Network_M

It's a pretty straightforward Windows app with documentation that can help you.

This is what I created specifically for the site you mentioned:

Import the app into R80.x Management:

Create a rule based on the signature and push policy:

And, sure enough, it works. 

No HTTPS Inspection required.

Network_M
Collaborator
‎2019-01-30 10:59 PM
In response to PhoneBoy

Very cool. Where can I download that Windows app?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-30 11:03 PM
In response to Network_M

It is linked in my previous comments.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-01-31 01:09 AM
In response to PhoneBoy

Can this exported Application also be used with R77.30?

Regards, Maarten
0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-31 08:30 AM
In response to Maarten_Sjouw

The tool produces R77.x and R80.x versions of the application definition.

0 Kudos
Network_M
Collaborator
‎2019-02-01 10:33 PM
In response to PhoneBoy

I could not find link to that app. Would you provide please?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-01 11:00 PM
In response to Network_M

It's in this SK: Signature Tool for custom Application Control and URL Filtering applications 

Adam12
Explorer
‎2019-08-27 03:22 PM
In response to PhoneBoy

Hey PhoneBoy,

Maybe you could help me out, not sure if I am missing a step, We have https inspection enabled, though in bypass mode, have sites that are not being blocked on https, but are blocked for http. I created an app with the signature tool, imported it, (R77.30), I see it in the applications/sites, but in the policy it does not show up. I have installed database and pushed policy, but it still doesn't populate in the policy for an app to added to a rule.

0 Kudos
Kosin_Usuwanthi
Collaborator
‎2019-01-13 06:40 PM

Custom URL filtering by SNI

sk103051

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-01-17 01:42 AM

What we experienced is that putting more than 1 line in the urls field will break the https recognition abilities.

Try to change the custom application to only one url like example\.com as a regular expression and check to see if https categorization is turned on when you do not have https inspection enabled.

Regards, Maarten
Danny
MVP Gold
MVP Gold
‎2019-01-27 11:44 PM

Is HTTPS inspection enabled? If not, is the first checkbox for categorization of HTTPS websites checked within the engine settings?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events