Solved: Re: Best Practice when blocking URL

civoulkidis · ‎2021-11-23

Hi,

I would like some comments from the most experienced users about the best practice when blocking URL.

What I am trying to do is to block specific URL.

These URL may be part from 2 categories:

Phishing sites (not yet categorized by CheckPoint)
Normal web sites

What I have done as far:

Rule: Source-Any, Destination : Network Group Which includes destination objects (Domain, Host etc) , Action:Drop

The network group contains Domain objects (For example if I want to block http://blockme.com/jgsgjs/fjsh/ I create a domain object .blockme.com

In this way I block all the domain which sometimes is not good.

For example when I want to block the phishing URL: https://firebasestorage.googleapis.com/v0/b/kasyropnz.appspot.com/o/faswusamino.html

I have to block all the domain .firebasestorage.googleapis.com which is not acceptable.

Any suggestions about the best practice?

the_rock · ‎2021-11-23

I will tell you what I always do and it works 100% of the time...I know Im not nearly as experienced as most folks here, but take it for what its worth : -). Ok, so just to give you a simple example, say you wish to block anything facebook and youtube, I would do exact same rule like you have, but in the destination, for url group, I put in custom links and say *facebook* and *youtube*, thats it. I included a screenshot for your reference.

Andy

View solution in original post

the_rock · ‎2021-11-23

I will tell you what I always do and it works 100% of the time...I know Im not nearly as experienced as most folks here, but take it for what its worth : -). Ok, so just to give you a simple example, say you wish to block anything facebook and youtube, I would do exact same rule like you have, but in the destination, for url group, I put in custom links and say *facebook* and *youtube*, thats it. I included a screenshot for your reference.

Andy

civoulkidis · ‎2021-11-24

*facebook* means that any url that contains the word facebook is matched?

the_rock · ‎2021-11-24

yes sir!

civoulkidis · ‎2021-11-25

Is there any guide about Regular Expressions?

For example I want to match and block the url https://10120-0000-00010.pages.dev which contains malicious.

This Reg Exp is not working. /10120-0000-00010.pages.dev/

This is working but I have a warning for performance (sk165094)

*10120-0000-00010.pages.dev*

Marcel_Gramalla · ‎2021-11-25

Look at sk106623

Basically for your example the RegEx would be \/10120-0000-0010\.pages\.com and for including subdomains additionally \.10120-0000-0010\.pages\.com

civoulkidis · ‎2021-11-25

10120-0000-00010\.pages\.dev worked for me and blocked the specific url

Note that I did not use /....../ at the beginning and at the end.

I have also checked "URLs are defined as Regular Expression". Is that correct?

Marcel_Gramalla · ‎2021-11-25

Yes, this is correct. Please note that without the /\ at the beginning you will also block abc10120-0000-0010.pages.com. Check that with a RegEx Tester like regex101.com.

the_rock · ‎2021-11-25

@Marcel_Gramalla is correct. Personally, sk that pops up when you make those changes, you can follow it, but to make it simplified, if I need to block a full fqdn, I just do it without TLD (top level domains, such as .com, .org, .edu, .me...as I stated in my first response. It never fails and thats why I keep using that approach.

007_mjn · ‎2023-12-18

Hi @the_rock Like this can I also block youtube for mobile devices?

I have SMB 1530 device and version is R81.10. I have blocked youtube for all users.

LIKE this src:lan subnet dst: any service/application:YoutubeApplication action:block

this rule can block youtube on desktop and laptop but not on android mobile device.

Do you know the solution of this?

the_rock · ‎2023-12-18

I literally never work on these devices, but if I ever need anything, I either spin demo point lab from user center or log in using below:

https://demo700.checkpoint.com/

User: test_1234567890
Password: %%7JvZp!!k%%

Now, based on what I can see, appears option for mobile clients is under vpn, blade control and it appears to be enabled by default, but as far as how you control it, if its locally managed, most likely by regular rules, but if central, probably via mobile access blade. You may want to confirm this with TAC.

Andy

007_mjn · ‎2023-12-18

Thanks for your quick support.

It's a centrally managed device and MAB portal is not available for SMB device. As far as I know MAB is used for secure remote access for android/IOS clients. I have worked on fortinet firewall and it block youtube for all devices.

the_rock · ‎2023-12-19

Thats because on Fortinet, those things are not "separated" if you will, like they are on CP side. If its centrally managed, is MA blade enabled? Either way, maybe check with TAC whats the best way to do this.

Andy

PhoneBoy · ‎2023-12-19

MAB is only required to terminate the Capsule Workspace client.
Check Point Mobile clients for Android/iOS can terminate on an SMB gateway.

007_mjn · ‎2023-12-20

ok, I know MAB is only used for capsule workspace.

for mobile devices I will raise a TAC case.

007_mjn · ‎2023-12-18

I think application control blade have to block applications on all devices but it didn't block youtube application on mobile device.

Are you a member of CheckMates?

Best Practice when blocking URL