This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
elicro
Participant
‎2021-02-04 03:08 PM

Allowing or blocking specific youtube videos

I got a request to block or allow specific YouTube videos in couple appliances, one of them is checkpoint NGFW.

The simple solution would be to use couple url filtering regex patterns and block/allow rules with SSL Inspection enabled on couple domains.

(^|.*\.)youtube\.com/watch\?v=##VID##'
(^|.*\.)youtu\.be/.*##VID##.*
(^|.*\.)ytimg\.com/.*/##VID##/
(^|.*\.)youtube.com/embed/##VID##

 

Since YouTube uses googlevideo.com as it's CDN for delivering the video and the content is served with a unique token it is pretty safe to just allow  anything under googlevideo.com by default.

In my tests I have added more then 3k VIDS (which is more then 3.2 k regex) and it seems to work OK.

There is a tiny(10 minutes max) delay

0 Kudos
16 Replies
PhoneBoy
Admin
Admin
‎2021-02-05 03:15 PM

Goes without saying this requires HTTPS Inspection to be enabled.
Also the delay likely comes from the policy being compiled/applied after you modify the locally managed policy.

0 Kudos
elicro
Participant
‎2021-02-06 10:33 AM
In response to PhoneBoy

@PhoneBoyI don't know why the delay happens.
On the appliance I created manually it works as I update the rules.
I think it should be applied in such a way that the admin will know when the rules will be applied.
There is another issue with http/2.0 but I guess that the whole industry is working on this.

0 Kudos
the_rock
Legend
Legend
‎2021-02-06 02:38 PM
In response to elicro

I would say, FOR SURE, you need https inspection for this. Literally, there MIGHT be 5% of http sites in the world atm, and rest are https...so, having said that, without it and no cert generated, so fw can act as MITM, this will never work. I mean, it would "work" where say if you wish to block https://www.abcd.com, client would sit there for few minutes looking at the page spinning and at the end, either would say page is reset or cant be displayed and it just looks stupid. You dont want people calling IT help desk all the time complaining about it, you want them to see PROPER block page, so they know its blocked by organizational policy. Makes sense?

Andy

0 Kudos
elicro
Participant
‎2021-02-07 02:18 AM
In response to the_rock

@the_rockSorry to say, what gave you the clue I am wondering about a subject from 10-15 years ago?
SSL INSPECTION is a must since SSL was introduced to the world...

0 Kudos
the_rock
Legend
Legend
‎2021-02-07 04:39 AM
In response to elicro

Sorry, I did not mean it in a bad way or anything, just stating what is needed, thats all. Apologies if it came across offensive.

Andy

0 Kudos
elicro
Participant
‎2021-02-07 04:44 AM
In response to the_rock

@the_rockEverything is OK.
I'm feeling sometimes that I am talking to kids by the response I got from some technical support experts.

I hope that CheckPoint is not a kids company and by the way the product WEBUI looks it would be weird to find out that kids are made it.

I'm not sure if I am here to learn from the TAC experts or teach them...

0 Kudos
the_rock
Legend
Legend
‎2021-02-07 04:58 AM
In response to elicro

Well, you know what they say, we all have different opinions : ). Personally, if I were you, if you are not happy with support you are getting, raise it with your account manager (or Sales person) or ask to speak with one of the managers in TAC. Just a friendly suggestion.

0 Kudos
elicro
Participant
‎2021-02-07 10:08 AM
In response to the_rock

I'm waiting for the account manager to call me back but yet (2 month already) to get a response.

If you know someone that can generate a call for me it would help.

until now the response time is so long from any department... that I really start to feel like I better off writing my own proxy for url filtering and firewall.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-02-07 07:50 PM
In response to elicro

You should be able to check when the policy was updated in the firewall kernel by using the command 'fw stat' on the CLI.
It shows something like:

SMB-GW> fw stat
HOST      POLICY           DATE              
localhost local             4Feb2021 23:30:59 :  [>WAN ] [<WAN ] [>LAN1] [<LAN1] [>DMZ ] [<DMZ ]

To have something show in the UI when the compiled policy is updated I believe would be an RFE. 

0 Kudos
elicro
Participant
‎2021-02-07 10:02 PM
In response to PhoneBoy

@PhoneBoy only if this was the issue...

I eventually wrote the next piece of code to automatically add the links:

https://github.com/elico/checkpoint-vid-filtering-managment 

i have seen that the policy applied but still it takes 10 minutes for the policy to apply.

from a firewall perspective its enough to download the whole DB....

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-02-08 01:16 PM
In response to elicro

You know, with a README, we could feature that in the CheckMates Toolbox.
That said, you are messing with the database directly, which might break in future versions. 

0 Kudos
elicro
Participant
‎2021-02-08 01:28 PM
In response to PhoneBoy

@PhoneBoy Thats one of the things a dba does.. mess around with the DB...

I assume that if the db structure will change as you suggest, thats because someone lost his job...

I can add a README but i already wrote something:

https://wiki.squid-cache.org/Features/StoreID

Is this qualifying for TAC work?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-02-08 02:16 PM
In response to elicro

There may be other reasons we change the underlying schema.
That said, it suggests we probably need to come up with an official way to add this kind of configuration.
That readme doesn't explain the use of the specific tools you've provided in the repo, but it does provide some interesting context around what you're doing with Squid.

Does it qualify for TAC work?
It's the kind of stuff I did back in the day when I worked in the TAC 🙂

0 Kudos
elicro
Participant
‎2021-02-08 02:59 PM
In response to PhoneBoy

@PhoneBoy I will try to write the readme later on.

From my point of view CP is better the other products in the market but while fortinet is by definition ISP ready, CP might not.

The datasheet of my device (1530) is only for flow based detection but not application level.

I will try first to respond by email privately, I don't like to make noises like others might do to request escalation.

0 Kudos
elicro
Participant
‎2021-02-07 11:11 PM
In response to PhoneBoy

@PhoneBoymaybe you know what RFE is and TAC and other acronyms but I need translation.
What RFE is?
If the product doesn't have a basic function, what will RFE help me with?
I am not sure if asking this question might clue that I'm a bit "not-smart"?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-02-08 01:10 PM
In response to elicro

RFE = Request for Enhancement, which you can place here: https://rfe.checkpoint.com/
TAC = Technical Assistance Center

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events