Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
shawmcbigdis
Explorer
Jump to solution

Allow access to specific truncated URL's

Is there a way to allow access to specific truncated URL's, in this case ones at "youtu.be" ? It seems the checkpoint blocks them all by default, I tried creating a custom application/site with the specific links I want in it, but it is still being blocked;

 

URL.PNG

 

The policy is just an allow any any basically;

policy.PNG

The checkpoint ver is R80.30. I'm pretty new to Checkpoint, so I assume I am just missing something. Either that, or there is no way around the truncated URL block.

 

Thanks

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

You can look on the gateway object:

Screen Shot 2021-01-25 at 8.53.07 AM.png

The fact it doesn't work suggest it's probably not enabled.
Note: this has significant impact to your users and your overall gateway performance, not to mention requires some level of planning to do correctly.
This is not something that can or should be enabled lightly.

What I suggest in this case is, since you generally allow access to YouTube anyway, allow access to its URL shortener prior to the rule that blocks URL shorteners (e.g. just the URL https://youtu.be
This should work since we only need to see the certificate (more precisely the SNI portion) and it's not really a general purpose URL shortener.
When R80.30 shipped, SNI verification did require HTTPS Inspection be enabled (could be with an any any bypass rule), but I believe this is addressed in recent JHF (above Take 111) as well as in R80.40 and above. 

View solution in original post

0 Kudos
11 Replies
PhoneBoy
Admin
Admin

First of all, without HTTPS Inspection enabled, nothing like this will work since it's impossible for the gateway to see the URL otherwise.
Second of all, a YouTube page involves many connections, which may not be caught by this rule and blocked by the other rules.

You might need to enable something like YouTube Strict mode.
You can force that on the gateway with HTTPS Inspection enabled and: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
Corresponding Google Help article: https://support.google.com/a/answer/6214622?hl=en&ref_topic=6248111#zippy=,option-http-headers 
Then you can control what videos your users can see.

0 Kudos
shawmcbigdis
Explorer

I don't think I explained that very well. We do not block YouTube at all. Users can go to any youtube video as youtube.com is completely allowed.

The issue is the truncated links. I work for a state agency, and a different state agency posted some training videos on youtube, but for some reason the only links they put on the website for them are the truncated ones. Truncated links are a known security issue, so I don't want to allow all of them, just these 5 so users can get to the training videos.

So we are not trying to restrict youtube to certain videos, I am trying to allow certain truncated links.

0 Kudos
PhoneBoy
Admin
Admin

You still need HTTPS Inspection enabled to "see" the precise URL.
Do you have this enabled or not?
Without it, you will not be able to allow access to these precise URLs since they are HTTPS links.

0 Kudos
shawmcbigdis
Explorer

I'm actually not sure if it is enabled or not. I inherited this Checkpoint, and have no experience with them prior, so figuring things out as I go.  How do I tell if it is enabled, and if not, how do I enable it?

 

Thanks

0 Kudos
PhoneBoy
Admin
Admin

You can look on the gateway object:

Screen Shot 2021-01-25 at 8.53.07 AM.png

The fact it doesn't work suggest it's probably not enabled.
Note: this has significant impact to your users and your overall gateway performance, not to mention requires some level of planning to do correctly.
This is not something that can or should be enabled lightly.

What I suggest in this case is, since you generally allow access to YouTube anyway, allow access to its URL shortener prior to the rule that blocks URL shorteners (e.g. just the URL https://youtu.be
This should work since we only need to see the certificate (more precisely the SNI portion) and it's not really a general purpose URL shortener.
When R80.30 shipped, SNI verification did require HTTPS Inspection be enabled (could be with an any any bypass rule), but I believe this is addressed in recent JHF (above Take 111) as well as in R80.40 and above. 

0 Kudos
shawmcbigdis
Explorer

Thanks PhoneBoy, that did it. I would have rather narrowed it down to those specific URL's, but like you said this isn't a general purpose URL shortner, but the YouTube specific one. I have put a request in to the other agency to use the full links on their webpage also, so hopefully I can remove this in the future.

0 Kudos
Matlu
Advisor

Hello,

Taking advantage of the reason for this thread, I make the following query.

Is it mandatory to activate HTTPS Inspection, when you activate the APPC+URLF blades?

I have done a lab, where I activate these 2 blades, and manually block certain URLs that are in HTTPS, and the firewall, without problems, blocks the traffic, thus obeying my explicit rule.

So, it leaves me with the doubt, is it mandatory to activate HTTPS Inspection?
Or is it more related to a "Best Practice" issue?

Regards.

0 Kudos
the_rock
Legend
Legend

Its not mandatory, but since probably 98% of sites nowdays are https, thats where benefits of https inspection come in.

Andy

0 Kudos
the_rock
Legend
Legend

This link bro explains inspection very well...its not official CP one, but same would apply.

https://www.thesslstore.com/blog/ssl-inspection/

Andy

0 Kudos
PhoneBoy
Admin
Admin

Mandatory? No.
However, it will be required to do any form of content inspection (either threats, DLP, or other).

0 Kudos
the_rock
Legend
Legend

Hey,

Message me privately and I can help you. I did https inspection for few customers and Im pretty experienced in it, if I say so myself : ). Im confident I can give you some insight. But, phoneboy is 100% correct...this will NEVER work without that feature enabled, because firewall will never know what is supposed to inspect. Technically, if you have url filtering blade enabled, you can allow those custom categories, but again, it might be tricky to make it work like that. Anyway, hit me up offline and lets fix this on webex or zoom.

 

cheers,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events