This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sagar_Manandhar
Advisor
‎2017-07-31 09:34 PM
Jump to solution

Regular Expression in Application And URL Filtering

Hi,

I am trying to make the regular expression to allow the checkpoint community for my PC but it's not working at all. The hit count of the policy is zero . Is there any mistake in the written expression. Please have look at the snapshot.

Thank you 

Sagar Manandhar

Preview file
20 KB
0 Kudos
1 Solution

Accepted Solutions
Meital_Natanson
Employee
Employee
‎2017-08-02 12:21 AM
Jump to solution

Hi Sagar,

community.checkpoint.com is a HTTPS site.

You must use HTTPS Inspection / 'categorize https sites' feature in order to be able for URLF to match this site, also the expression should match the DN written in the certificate. 

View solution in original post

3 Replies
Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2017-08-01 02:05 AM
Jump to solution

Are you using SSL inspection ?

Custom Application/Site that was created to match a domain and sub-domains, is not matched by Applic... 

0 Kudos
Meital_Natanson
Employee
Employee
‎2017-08-02 12:21 AM
Jump to solution

Hi Sagar,

community.checkpoint.com is a HTTPS site.

You must use HTTPS Inspection / 'categorize https sites' feature in order to be able for URLF to match this site, also the expression should match the DN written in the certificate. 

OTIS_DUPONT
Explorer
‎2017-12-19 04:28 PM
Jump to solution

Make sure your REGEX is tight before you go and allow something like "*domain.com" (. before domain omitted on purpose) because a fake domain will pass with the same rule, if it has the same characters in a row of "domain.com" (ex: IHackedYourdomain.com or IHackedYourdomain.comrades.ru). You want a "." before you domain name and a "$" after the "com", and keep it absolute. Also, I noticed not ALL regex will work in Checkpoint, so stick to what they explain here. Regular Expressions . And even with that knowledge, you're not out of the water. The examples given by checkpoint are good but you have 2 problems here with regex and their engine.

Another big reason this kind of exclusion doesn't work is that many companies are utilizing WILDCARD certificates, and that kind of cert does not play well certificate inspection engines, including Checkpoint's.  Go to Checkpoint.com and if you observe the "Issued to:" field of their cert (in your browser) you will see "*.checkpoint.com" if you check the cert in your browser. That's a wildcard, and they can spin up "whatever_here.checkpoint.com" subdomain to their heart's content. This community.checkpoint.com, on first glance, appears to be that, but it's not, that's why the rules we're writing, aren't working. That's problem 1.

Then you go look into the certificate and see that in the "Subject" field, the CN actually has an asterisk "*" in it! Checkpoint's CN says "*.checkpoint.com". How can you write that in your regex? That's problem 2.  Check this for the note on it How to work with wildcard certificates in HTTPS Inspection and Application Control 

Finally,  combine the 2 issues, and add a twist. What you typed into the browser (the FQDN) does not match the certificate that is actually in use for the site. You would normally see an error about "certificate name mismatch" in the browser, and then you click the hyperlink to "Continue to this Website (not recommended)" or "SEC_ERROR_BAD_CERT_DOMAIN" to bypass it manually. An unattended device doesn't have fingers & mouse, it can't click past this kind of error, you need to write a rule around that kind of issue. But normally, we're trained to see that error to know we have certificate errors like a hacker intercepting with a fake cert, you signing into a self-signed web site, or your web server certificate that doesn't match the FQDN (certificate name mismatch). Today, all kinds of advanced certs like SANS (multi-domain) certs mess that all up and you get no error when FQDN doesn't match the CN. Now you type in  https://community.checkpoint.com in the browser, but if you look at the issues I just outlined, you'd see that a site like this will have a different Common Name than what you typed in the browser! You're trained to think that certificate is from "checkpoint.com" because you received no error. Inspect the certificate, you'll see that the certificate "Issued To" field says vanity4.jiveon.com (or whatever) but that's not what you typed in the browser! When you look into the certificate's Subject field, you'll see something like THIS:

CN = vanity4.jiveon.com
OU = Hosting
O = Jive Software
L = Palo Alto
S = California
C = US

vanity4.jiveon.com does not equal community.checkpoint.com in my brain, nor the Checkpoint engines. This is the last major problem. Aside from the horror of thinking Checkpoint got hacked and their domain hijacked, this is also a common issue. So you'd have to write your sites to combat these top issues, cert mismatch, Alternate-Subjects, Domain forwarding,etc in certs. In any proxy I have, this is a certificate mismatch. You have to write in vanity4.jiveon.com in this particular case.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events