- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
I have a rule in Checkpoint, in Policy tab:
Source: host (one pc with IP)
Destination: Internet
Services & Applications: denied_sites
Action: drop
denied_sites: custom site, which contains some urls.
I wrote both http://www.example.com, https://www.example.com
After installation policy, rule drops only http, but not https.
How can I make that rule worked for https too? (Without turning on https inspection)
I looked previous questions, but I didn't manage to find solution.
Copy&paste from help:
In the URL List, enter the URLs.
For example, if a news site has these links:
To allow access only to the https link, use this regular expression:
^https:\/\/.*\.news\.com
Note: The application or site URL defined by a regular expression must use the correct syntax.
In url list, if I write *.example.com/* it gives error:
URL cannot contain the following substring: /*
Then I wrote *.example.com and it blocks only http, not https.
It cannot block https sites.
What else can be done?
Add this:
(^|.*\.)*example\.com
and make sure "URLs are defined as Regular Expression" is ticked.
But if the site is using SNI then you better follow SK mentioned bellow.
I have tried adding this and ticked as "Regular Expression".
I added some sites, not one.
https is not blocked still.
Simple Proxies may block https, why it is so difficult in Checkpoint?
Can Checkpoint block https?
In addition to what Hristo Grigorov said, you need to confirm what the DN of the certificate of the site you want to block is as that is what is matched.
Do you mean that I should include full domain name of the certificate in URL list?
Whatever it says in the DN of the certificate.
How to see DN of the certificate? I could not find
This is certificate DN:
This is certificate w/o SNI:
This is certificate with SNI:
How can I block https://z1.fm site for example?
^https:\/\/z1\.fm
I have checked, it does not block. Any other solution?
I am sorry mate, no idea what is wrong. It works for me here.
Thank you anyway mate! Then I have to write to tech.support.
The CN of the certificate for z1.fm is sni.cloudflaressl.com, as shown below:
This means you cannot currently use the URL z1.fm to block, as we will see sni.cloudflatessl.com, at least in the manner described.
Right now, you can do one of two things:
In general, we do plan to improve our support for SNI in the near future.
Ok, can we block that site by its IP addresses then?
You can, but it's possible you will also block some legitimate sites in the process (not to mention the IP could change, being behind CloudFlare).
Is there some reason you can't use the Application Control Signature Tool to create a signature for the site?
The reason is that I don't know how to use Application Control Signature Tool.
Is it possible to create custom signature for any site?
I would appreciate if you share one example how to create custom signature step by step.
Thanks.
It's a pretty straightforward Windows app with documentation that can help you.
This is what I created specifically for the site you mentioned:
Import the app into R80.x Management:
Create a rule based on the signature and push policy:
And, sure enough, it works.
No HTTPS Inspection required.
Very cool. Where can I download that Windows app?
It is linked in my previous comments.
Can this exported Application also be used with R77.30?
The tool produces R77.x and R80.x versions of the application definition.
I could not find link to that app. Would you provide please?
Hey PhoneBoy,
Maybe you could help me out, not sure if I am missing a step, We have https inspection enabled, though in bypass mode, have sites that are not being blocked on https, but are blocked for http. I created an app with the signature tool, imported it, (R77.30), I see it in the applications/sites, but in the policy it does not show up. I have installed database and pushed policy, but it still doesn't populate in the policy for an app to added to a rule.
Custom URL filtering by SNI
sk103051
What we experienced is that putting more than 1 line in the urls field will break the https recognition abilities.
Try to change the custom application to only one url like example\.com as a regular expression and check to see if https categorization is turned on when you do not have https inspection enabled.
Is HTTPS inspection enabled? If not, is the first checkbox for categorization of HTTPS websites checked within the engine settings?
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
31 | |
17 | |
5 | |
4 | |
3 | |
3 | |
3 | |
3 | |
2 | |
2 |
Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY