Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
civoulkidis
Contributor
Jump to solution

Best Practice when blocking URL

Hi,

I would like some comments from the most experienced users about the best practice when blocking URL.

What I am trying to do is to block specific URL.

These URL may be part from 2 categories:

  1. Phishing sites (not yet categorized by CheckPoint)
  2. Normal web sites
 

What I have done as far:

Rule: Source-Any, Destination : Network Group Which includes destination objects (Domain, Host etc) , Action:Drop

urlblck.jpg

The network group contains Domain objects (For example if I want to block http://blockme.com/jgsgjs/fjsh/ I create a domain object .blockme.com 

In this way I block all the domain which sometimes is not good.

For example when I want to block the phishing URL: https://firebasestorage.googleapis.com/v0/b/kasyropnz.appspot.com/o/faswusamino.html

I have to block all the domain .firebasestorage.googleapis.com which is not acceptable.

Any suggestions about the best practice?

 

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

I will tell you what I always do and it works 100% of the time...I know Im not nearly as experienced as most folks here, but take it for what its worth : -). Ok, so just to give you a simple example, say you wish to block anything facebook and youtube, I would do exact same rule like you have, but in the destination, for url group, I put in custom links and say *facebook* and *youtube*, thats it. I included a screenshot for your reference.

Andy

View solution in original post

0 Kudos
15 Replies
the_rock
Legend
Legend

I will tell you what I always do and it works 100% of the time...I know Im not nearly as experienced as most folks here, but take it for what its worth : -). Ok, so just to give you a simple example, say you wish to block anything facebook and youtube, I would do exact same rule like you have, but in the destination, for url group, I put in custom links and say *facebook* and *youtube*, thats it. I included a screenshot for your reference.

Andy

0 Kudos
civoulkidis
Contributor

*facebook* means that any url that contains the word facebook is matched?

0 Kudos
the_rock
Legend
Legend

yes sir!

0 Kudos
civoulkidis
Contributor

Is there any guide about Regular Expressions?

For example I want to match and block the url https://10120-0000-00010.pages.dev which contains malicious.

This Reg Exp is not working.     /10120-0000-00010.pages.dev/ 

This is working but I have a warning for performance (sk165094)

*10120-0000-00010.pages.dev*

0 Kudos
Marcel_Gramalla
Advisor

Look at sk106623

Basically for your example the RegEx would be \/10120-0000-0010\.pages\.com and for including subdomains additionally \.10120-0000-0010\.pages\.com

0 Kudos
civoulkidis
Contributor

10120-0000-00010\.pages\.dev  worked for me and blocked the specific url

Note that I did not use /....../ at the beginning and at the end.

I have also checked "URLs are defined as Regular Expression". Is that correct?

 

0 Kudos
Marcel_Gramalla
Advisor

Yes, this is correct. Please note that without the /\ at the beginning you will also block abc10120-0000-0010.pages.com. Check that with a RegEx Tester like regex101.com.

the_rock
Legend
Legend

@Marcel_Gramalla is correct. Personally, sk that pops up when you make those changes, you can follow it, but to make it simplified, if I need to block a full fqdn, I just do it without TLD (top level domains, such as .com, .org, .edu, .me...as I stated in my first response. It never fails and thats why I keep using that approach.

007_mjn
Contributor

Hi @the_rock Like this can I also block youtube for mobile devices?

I have SMB 1530 device and version is R81.10. I have blocked youtube for all users.

LIKE this src:lan subnet dst: any service/application:YoutubeApplication action:block

this rule can block youtube on desktop and laptop but not on android mobile device.

Do you know the solution of this?

0 Kudos
the_rock
Legend
Legend

I literally never work on these devices, but if I ever need anything, I either spin demo point lab from user center or log in using below:

https://demo700.checkpoint.com/

User: test_1234567890
Password: %%7JvZp!!k%%

Now, based on what I can see, appears option for mobile clients is under vpn, blade control and it appears to be enabled by default, but as far as how you control it, if its locally managed, most likely by regular rules, but if central, probably via mobile access blade. You may want to confirm this with TAC.

Andy

0 Kudos
007_mjn
Contributor

Thanks for your quick support.

It's a centrally managed device and MAB portal is not available for SMB device. As far as I know MAB is used for secure remote access for android/IOS clients. I have worked on fortinet firewall and it block youtube for all devices.

0 Kudos
the_rock
Legend
Legend

Thats because on Fortinet, those things are not "separated" if you will, like they are on CP side. If its centrally managed, is MA blade enabled? Either way, maybe check with TAC whats the best way to do this.

Andy

0 Kudos
PhoneBoy
Admin
Admin

MAB is only required to terminate the Capsule Workspace client.
Check Point Mobile clients for Android/iOS can terminate on an SMB gateway.

0 Kudos
007_mjn
Contributor

ok, I know MAB is only used for capsule workspace.

for mobile devices I will raise a TAC case.

0 Kudos
007_mjn
Contributor

I think application control blade have to block applications on all devices but it didn't block youtube application on mobile device.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events