Dear community,
in two recent TAC tickets we got advised to replace our standard custom applications with ones using regular expressions since that has lower performance impact on the gateway. Both refered to this sk165094
Unfortunatelly this pretty easy sounding task turned out to be really tricky. And I'm still unsure if regex is really the prefered more efficient way?! Does someone know?
There are several things to keep in mind when using regex:
- Is the traffic getting HTTPS inspected (de- and encrypted)
- Is the traffic unencrypted (e.g. HTTP for redirects)
- If encrypted, what is the SNI of the used certificate (e.g. when a custom app is for a sub domain, but the certificate is a wildcard on the main domain)
Since all this information is offen hard to gather, it is pretty hard to define an appropriate regex (or multiple).
In my opinion Check Point should make it easier for admins here. The admin should only need to define the domain / subdomain / URL / ... and checkpoint should care about performance efficient handling of the different situation.
Of course a possiblity to let admins create there own regex would still be a nice to have for some cases.
I would really appreciate some feedback from other admins how they handle this topic.
Some examples:
For unencrypted / decrypted traffic we use: \/sub\.example\.com/
For encrypted traffic (this goes on SNI) we use: \.sub\.example\.com + ^sub\.example\.com
Before using regex we used for all cases: sub.example.com + *.sub.example.com
Thanks a lot for all your help and effort,
Best Markus