Thanks for reply, however this is exactly the same SK I listed. I am defining custom application as instructed by the table:

One seriously important note: \/example\.com would also match "superlegitsite.phish/example.com". Matching is performed against the entire URL, including scheme, so to be safe, you must anchor it like this:

^https?://example\.com/

To allow zero or more subdomains:

^https?://([^/]+\.)*example.com/

To require subdomains, change the asterisk to a plus.

thanks for that, but I prefer to stick with recommendations by Checkpoint rather than using my own regex. Depending how Checkpoint implemented URL parsing some definitions can lead to performance degradation. 

ouch... You should be very strict with custom URL regex definitions.

See sk106623, this is exactly the problem you might have. If you whitelist *example.com, xxxexample.com will match too. 

Also, don't you get warning about performance impact when adding * ?

Yea, of course there is warning, but thats there simply for not following the sk itself, I mean, I even had 3 TAC people tell me to do it the way I described, since we could not make it work with any available method from the article, so really no point spending 10 hours on the phone for something that may not function : - )

What I did took literally 2 minutes and it worked!

Gotcha. The thing is, that some phishing sites are created to contain valid names, like newyoutube.com and it can slip through the filtering.

Forgot to mention, my case is actually not for whitelisting, but for bypassing ssl inspection instead. I want to bypass repo1.maven.org and any of its subdomains.

K, not sure what time zone you are in, but we can do remote later and see whats going on. Im in EST (GMT - 5)

Thanks for the offer, but there is no urgency here and I applied workaround meanwhile. The sole purpose of this thread is to make sure checkpoint recommendations and regex syntax is up to date.

Hi there,

I am just trying to use what was suggested by Checkpoint in the form of multiple SKs. Indeed you have the option to define custom app without regex, however that was not my initial question.

If that's only documentation issue, that is an easy fix, however even TAC seems struggling to give definite answer. If "best practices" are confusing, I see why people just go with their own regex definitions, which could lead to questionable enforcement.

Unfortunately, this is one of those things where different people take different approach. I agree with you though, wish there was one definite answer/method as far as defining those things.

The non-regular-expression matching expression "*.mydomain.com" turns into ".*\.mydomain\.com" when the object is sent to the firewall. That's dangerous, as it matches "sub.mydomain.com.superlegitsite.phish" and "superlegitsite.phish/sub.mydomain.com".

Understood, but still the translated/"converted to" RegExp would be much more simpler than the complex ones that they address in SK's.

Like you confirmed RegExp would be still used for matches, as it's easiest way to match URL's .

In order to prevent some of those unwanted matches, we could writhe *.mydomain.com as *.mydomain.com/ ???? 

That would cut some of the unwanted matches.... 

We're not using too many Custom Applications as we preferred to start using the FQDN objects. Still not perfect according to others, but for us is quite OK 🙂 .

Maybe there could be written an script or smth that could emulate the load that the system will get when using an complex RegExp compared with simple one... or like @abihsot__ requires, a clearer document/guide. 

Simple: ^https?://([^/]+\.)*example.com/

Complex: ^(https?:\/\/)?([^\/.]+?\.)*?leading2lean\.com(:[0-9]+)?(\/|$)

Thank you,

PS: I remember reading in the past (and few minutes ago) about "Application Control Signature Tool", but I never went using it.

Optimizing regular expression match performance is a fairly complicated topic. The short version is to minimize your use of . and character classes, and to make your repeated matches non-greedy.

Non-greedy matching is pretty simple. Regular expression matching engines try to match the whole string, then if that fails, they step back one character and try to match the whole string again, repeating until they get a match or fail. This is called greedy matching, because each repeated item will match all repetitions in a row. Adding a question mark after a repetition causes that repetition to be matched non-greedily. A +? will match one character, then try to match the rest of the expression. If it fails, it will match two characters, then try to match the rest of the expression. The match expands from the start rather than contracting from the end. For example, "[a-zA-Z0-9]+?\." is faster to match than "[a-zA-Z0-9]+\." is.

I’m pretty sure the expression matched starts with the host (i.e. what’s immediately after https://).
Which means if you want to match example.com (and ONLY example.com), you’d use something like: ^example\.com($|\/)

That should match example.com as well as any other URL on example.com.