This is the rule that I have created for this:

I add on the tiktok custom site the app domains that I found here: https://www.netify.ai/resources/applications/tiktok . Is this what works for you? This is the config that blocks around half of the videos from the app for me.

I attached how I would create custom site...not sure if you did it the same.

Andy

Yes, config is the same, you can find it attached.

Still, some videos are passing 

You think there's something else that I can do?

In that case, you may need to examine the logs carefully and see why that happens. Do you have https inspection enabled or not?

Andy

I don't have https inspection. What I see on the logs is that the App & URL Policy for TikTok (7) is actually blocking traffic, but the App & URL Cleanup rule (16) is matching some traffic and letting it pass, I think this would explain why I can see some videos but I don't know how to fix it. Cleanup rule is configured to let pass all traffic.

Here you can find attached some evidence.

In some cases, you may need to add the IP addresses to block as well.

Cleanup rule is usually configured to drop all traffic not matched by other rules - that is how it got the name 8).

True that my friend :-). But, in all seriousness, it is recommended by CP to allow all at the bottom of ordered url and app control layer.

That's how we have configured the url and app layer, so the traffic pass the rule that blocks tiktok (even when other traffic to the same IP addres is being blocked for that policy like I mentioned before) and goes all the way down to cleanup rule that allows all. This happens with a lot of IP addresess of tiktok, not just the one from the capture "Permit and block to same IP" that I attached before. Would you recommend to trace and block all those IP addresess?

Yes, I would. Sadly, I had to do same for customers in some cases. Even TAC suggested the same. You can open support case to see if they suggest anything else though.

I will tell you what I find works the best, in my opinion...now, this might not be what most customers would do, but works well from what I experienced. Instead of say, creating another url and app control ordered layer, I always end up creating section towards the top of built in access layer with url and app control rules you need. The downside to it could be the fact that you have to enable those blades in this ordered layer, so acceleration might not work as well, but otherwise, I honestly had not seen any major issues with it.

I tried this method but this requires https inspection to work 100%. We see lot of traffic identified as TikTok and blocked, but the website still works and video still plays; Surely you'd think the easy solution is to enable https inspection, but that's not possible because we are talking about a wifi network. Users cannot be forced to download and install certificate for https inspection to work (especially on the mobile devices).

We are able to block correctly using Harmony Mobile following the sk; but that's only managed devices. Devices not managed/guest devices is the concern here.

Interested in hearing some other ideas or suggestions. Thanks

upon further investigation, we found out this is an issue and open a support case; it's blocking on some gateways but in one specific network and the gateway the traffic going out, it is not blocked.

I know that - but i would call it PassAll rule...

That's what I've always done, and agreed Checkpoint recommends that as well, so your application rules really should be block specific's and then allow everything else (as a generic rule of thumb).