This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
chethan_m
Collaborator
‎2024-01-16 07:32 AM

Allow Corporate Dropbox access while blocking the Personal Dropbox Account

Hi,

 

One of our customers have a use case of allowing only business / corporate Dropbox accounts and block the personal ones via Checkpoint firewall.

I request your suggestions on how we can achieve this.

 

One possibility is to use HTTPS Inspection and leverage HTTP Header insertion and create restriction based on Dropbox team IDs. 

HTTP header insertion for Application Parameters (Office 365 Tenant Restrictions / Gmail Allowed-Dom...

(
	:appi_parameters (
		: (
			:app_id (10050988)
			:parameters (
				: (
					:parameter_type ("Header Injection")
					:parameter_values (
						: (
							:type ("Header Name")
							:value ("X-Dropbox-allowed-Team-Ids")
						)
						: (
							:type ("Header Value")
							:value ("**This will be replaced with TeamID**")
						)
					)
				)
			)
		)				
	)
)

Where 10050988 is the application ID of Dropbox and the gateway intercepts requests related to Dropbox and adds the HTTP header X-Dropbox-allowed-Team-Ids (Values of the Dropbox Team ID field). This header's value is the business account's team ID.

The above approach must block access to personal accounts and allow access to only specified teams, but the challenge here is that if there are 100s or 1000s of teams this is not a feasible / scalable approach as collection of team IDs and configuring the application parameter file is a tedious task.

 

I wanted to know, does checkpoint provide any out-of-the-box solution for this problem via app control? or there are any other ways that can fulfil this business requirement. For ex. restrict the access if the user is trying to login from personal mail account.

 

Regards,

Chethan 

CCSM R80

 

Quantum Force (Security Gateways) Security Gateway Appliances Quantum Solution Family 

Quantum Force (Security Gateways)
Quantum Force (Security Gateways)
Security Platforms & Management
Security Gateway Appliances
Security Gateway Appliances
Security Platforms & Management
Quantum Solution Family
Quantum Solution Family
Quantum
0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2024-01-16 10:34 PM

In order to use the header injection bits, you need to use HTTPS Inspection.
Problem is, Dropbox uses Certificate Pinning and will not work with HTTPS Inspection.

0 Kudos
chethan_m
Collaborator
‎2024-01-17 01:24 AM
In response to PhoneBoy

This is how others are doing it too. 

 

Is there any other way to block personal Dropbox accounts?

0 Kudos
chethan_m
Collaborator
‎2024-01-17 01:57 AM
In response to PhoneBoy

So, in that case bypass HTTPS inspection for Dropbox or block it entirely?

0 Kudos
the_rock
Legend
Legend
‎2024-01-17 04:26 AM

I got private message you sent me about this, will respond there.

Best,

Andy

0 Kudos
chethan_m
Collaborator
‎2024-01-17 06:46 PM
In response to the_rock

Thank you, I've replied to it.

0 Kudos
the_rock
Legend
Legend
‎2024-01-17 06:47 PM
In response to chethan_m

Same here...Im still working at 10 pm at night, never expected CP upgrade to take 4 hours LOL

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events