cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Network_M
Copper

How to block some https sites?

I have a rule in Checkpoint, in Policy tab:

Source: host (one pc with IP)

Destination: Internet

Services & Applications: denied_sites

Action: drop

denied_sites: custom site, which contains some urls.

I wrote both http://www.example.com, https://www.example.com

After installation policy, rule drops only http, but not https.

How can I make that rule worked for https too? (Without turning on https inspection)

I looked previous questions, but I didn't manage to find solution.

Tags (1)
28 Replies

Re: How to block some https sites?

Copy&paste from help:

In the URL List, enter the URLs.

  • Do not include http/https prefixes
  • The URL list supports the use of wild cards, for example to define the sub domains and paths of a top level domain. (*.checkpoint.com/*)
  • Select URLS are defined as Regular Expression to define more complex domain patterns, or for greater specificity.

    For example, if a news site has these links:

    https://www.news.com

    http://www.news.com

    To allow access only to the https link, use this regular expression:

    ^https:\/\/.*\.news\.com

    Note: The application or site URL defined by a regular expression must use the correct syntax.

0 Kudos
Network_M
Copper

Re: How to block some https sites?

In url list, if I write *.example.com/* it gives error:

URL cannot contain the following substring: /*

Then I wrote *.example.com and it blocks only http, not https.

It cannot block https sites.

What else can be done?

0 Kudos

Re: How to block some https sites?

Add this:

(^|.*\.)*example\.com

and make sure "URLs are defined as Regular Expression" is ticked.

But if the site is using SNI then you better follow SK mentioned bellow.

0 Kudos
Network_M
Copper

Re: How to block some https sites?

I have tried adding this and ticked as "Regular Expression".

I added some sites, not one.

https is not blocked still.

Simple Proxies may block https, why it is so difficult in Checkpoint?

Can Checkpoint block https?

0 Kudos
Admin
Admin

Re: How to block some https sites?

In addition to what Hristo Grigorov‌ said, you need to confirm what the DN of the certificate of the site you want to block is as that is what is matched.

0 Kudos
Network_M
Copper

Re: How to block some https sites?

Do you mean that I should include full domain name of the certificate in URL list?

0 Kudos
Admin
Admin

Re: How to block some https sites?

Whatever it says in the DN of the certificate.

0 Kudos
Network_M
Copper

Re: How to block some https sites?

How to see DN of the certificate? I could not find

0 Kudos

Re: How to block some https sites?

This is certificate DN:

This is certificate w/o SNI:

This is certificate with SNI:

0 Kudos
Network_M
Copper

Re: How to block some https sites?

How can I block https://z1.fm site for example?

0 Kudos

Re: How to block some https sites?

^https:\/\/z1\.fm

0 Kudos
Network_M
Copper

Re: How to block some https sites?

I have checked, it does not block. Any other solution?

0 Kudos

Re: How to block some https sites?

I am sorry mate, no idea what is wrong. It works for me here.

0 Kudos
Network_M
Copper

Re: How to block some https sites?

Thank you anyway mate! Then I have to write to tech.support.

Admin
Admin

Re: How to block some https sites?

The CN of the certificate for z1.fm is sni.cloudflaressl.com, as shown below:

This means you cannot currently use the URL z1.fm to block, as we will see sni.cloudflatessl.com, at least in the manner described.

Right now, you can do one of two things:

In general, we do plan to improve our support for SNI in the near future.

Network_M
Copper

Re: How to block some https sites?

Ok, can we block that site by its IP addresses then?

0 Kudos
Admin
Admin

Re: How to block some https sites?

You can, but it's possible you will also block some legitimate sites in the process (not to mention the IP could change, being behind CloudFlare).

Is there some reason you can't use the Application Control Signature Tool to create a signature for the site?

0 Kudos
Network_M
Copper

Re: How to block some https sites?

The reason is that I don't know how to use Application Control Signature Tool.

Is it possible to create custom signature for any site?

I would appreciate if you share one example how to create custom signature step by step.

Thanks.

0 Kudos
Admin
Admin

Re: How to block some https sites?

It's a pretty straightforward Windows app with documentation that can help you.

This is what I created specifically for the site you mentioned:

Import the app into R80.x Management:

Create a rule based on the signature and push policy:

And, sure enough, it works. 

No HTTPS Inspection required.

Network_M
Copper

Re: How to block some https sites?

Very cool. Where can I download that Windows app?

0 Kudos
Admin
Admin

Re: How to block some https sites?

It is linked in my previous comments.

0 Kudos
Maarten_Sjouw
Platinum

Re: How to block some https sites?

Can this exported Application also be used with R77.30?

Regards, Maarten
0 Kudos
Admin
Admin

Re: How to block some https sites?

The tool produces R77.x and R80.x versions of the application definition.

0 Kudos
Network_M
Copper

Re: How to block some https sites?

I could not find link to that app. Would you provide please?

0 Kudos
Admin
Admin

Re: How to block some https sites?

Re: How to block some https sites?

Custom URL filtering by SNI

sk103051

0 Kudos
Maarten_Sjouw
Platinum

Re: How to block some https sites?

What we experienced is that putting more than 1 line in the urls field will break the https recognition abilities.

Try to change the custom application to only one url like example\.com as a regular expression and check to see if https categorization is turned on when you do not have https inspection enabled.

Regards, Maarten
Danny
Jade

Re: How to block some https sites?

Is HTTPS inspection enabled? If not, is the first checkbox for categorization of HTTPS websites checked within the engine settings?

0 Kudos