Solved: Re: Allowing access to a specific URL path

JPR · ‎2024-12-19

Hello there,

I have a server behind a firewall that doesn't and mustn't full internet access.

However, it needs to be possible to use Copilot on it and thus needs access to some specific URL paths as listed here: https://docs.github.com/en/copilot/managing-copilot/managing-github-copilot-in-your-organization/con...

As mentioned elsewhere on here HTTPS Inspection is needed in order to achieve that so that has been enabled.

As far as I can see I then should be able to whitelist these URL paths in the above link by using a "Custom Application Site/Group", however, I don't seem to be able get the syntax right.

So my question is:

- Is it possible in the way I have described it above to allow access to a specific URL path?

And if so, how should I make the "Custom Application Site/Group".

And of course, if it has to be done in another way, I'd like to know that as well 😉

Thanks and best regards!

JPR · ‎2024-12-20

Also to Andy,

Yeah, I got it to work, and also ended up not using regular expressions.

I've enabled HTTPSi for the server and then made a Custom Application Group like this and it seems to work:

Thanks for the help guys! 🙂

View solution in original post

AkosBakos · ‎2024-12-19

Hi JPR,

Yes you touch the neuralgic point, the HTTPs Inspection. You can have a test without enable this, but maybe the categorization won't work properly.

https://support.checkpoint.com/results/sk/sk92743

Feature - HTTPS Filtering

Categorization of HTTPS sites without HTTPS inspection (passive HTTPS). Supports URL Filtering on HTTPS traffic without HTTPS inspection.

To enable it, enable the URL Filtering blade:
In SmartDashboard, go to Application & URL Filtering tab -> Advanced -> Engine Settings -> Enable "Categorize HTTPS sites", and install Security Policy.

----------------------------------------

The custom group creation:

https://support.checkpoint.com/results/sk/sk165094

(this speaks for itself)

Akos

----------------
\m/_(>_<)_\m/

JPR · ‎2024-12-20

Thanks, that all seems to work.

However, getting the Regex right seems to be another issue

So I want to allow traffic to github.com/login/

So ideally I want to make sure that e.g. "maliciousgithub.com/login/" and "github.com/loginmalicious/" or a combination of these doesn't work, however, I'm really struggling to achieve that.

I have checked "URLs are defined as Reuglar Expressions" and tried "github\.com/login/" but that doesn't work. Using "github\.com/login" does - but then also "github\.com/login1" works supposedly because there is a site on their server with that name (if I try "github.com\.com/loginmalicious" it says "Not found" because it doesn't exist).

I'm trying my configuration with "curl -k https://github.com/login".

Hope it makes sense 🙂

the_rock · ‎2024-12-20

Just add custom application object with these 2 entries and it will work, I tested it in my lab.

Andy

*maliciousgithub.com/login/*

*github.com/loginmalicious/*

I never bother checking that option at the bottom for regular expression.

the_rock · ‎2024-12-20

Here is what Im referring to.

Andy

(view in My Videos)

AkosBakos · ‎2024-12-20

Hi, what was the conclusion? Did you set up the HTTPs Inspection?

----------------
\m/_(>_<)_\m/

JPR · ‎2024-12-20

Also to Andy,

Yeah, I got it to work, and also ended up not using regular expressions.

I've enabled HTTPSi for the server and then made a Custom Application Group like this and it seems to work:

Thanks for the help guys! 🙂

the_rock · ‎2024-12-20

Great job!

Andy

the_rock · ‎2024-12-19

I would follow what @AkosBakos suggested. I have fully working ssl inspection lab in R81.20 jumbo 92, so can test anything needed.

Andy

Are you a member of CheckMates?

Allowing access to a specific URL path