This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
chethan_m
Collaborator
‎2023-12-06 11:39 AM
Jump to solution

HTTP header insertion to restrict Personal Email domain and allow only YouTube Education Cate

Hi All, 

 

I am currently working on a use case where I need to block Google Suite and Office 365 personal access and only allow corporate / enterprise users / domains via the perimeter firewall.

The Checkpoint Cluster is running R81.20 with its recommended JHF too.

I referred the following SK146993 for the configuration: Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and ...

 

As a test, when a user tries to login using his personal gmail.com mail ID to the Google workspace, he is redirected to accounts.google.com and Google Server restricts the access as expected. 

Now without closing the browser if the user opens a new tab, you can see that the account is logged in and the restriction is only applied to Gmail and not any other Google SaaS applications like Google Drive, Google Photos, etc. 

The same problem with Microsoft O365 too.

 

Gmail header parameter value: 

(
	:appi_parameters (
		: (
			:app_id (10069697)
			:parameters (
				: (
					:parameter_type ("Header Injection")
					:parameter_values (
						: (
							:type ("Header Name")
							:value ("X-GoogApps-Allowed-Domains")
						)
						: (
							:type ("Header Value")
							:value ("example.com") 
						)
					)
				)
			)
		)				
	)

 

Are these application IDs CheckPoint specific? If yes, where can I find the App IDs for the rest of the applications. And can I use same header type and values for other Google SaaS applications?

 

The built in enterprise applications are of no use too. I believe I need to write one more community post to get solutions for queries. 

 

Thank you!

Chethan 

CCSM R81

0 Kudos
1 Solution

Accepted Solutions
chethan_m
Collaborator
‎2023-12-15 11:07 PM
Jump to solution

The issue is resolved now. R81.20 with its recommended JHF Take 41 had issues with Office365 tenant restrictions. The TAC sent custom hotfix that fixed the issue.

Screenshot 2023-12-15 211917.png

View solution in original post

0 Kudos
4 Replies
_Val_
Admin
Admin
‎2023-12-10 11:40 PM
Jump to solution

Did you consult with TAC about it yet?

0 Kudos
chethan_m
Collaborator
‎2023-12-13 03:00 AM
In response to _Val_
Jump to solution

We received Google Suite applications' App ID(s) from a local SE. Now restrictions for Google applications are in-place and it is working. 

For Office 365 corporate tenant, I did a kernel debug on application module & network rule base and figured out the application ID (60342666). Replaced it with the app_id provided in SK article. And it worked. Now restrictions are working for O365 Tenant too (allows access only to specified company domain as expected).

 

conn: <dir 0, <src-ip>:62356 -> <dest-ip>:443 IPP 6> app found. app_sig_id = 60342666:4;

@@;34216096.2229697;11Dec2023 19:12:56.303254;[vs_0];[tid_0];[fw4_0];1:{global} appi_app_db_get_app_name:  app_name "Office365"

@;34216096.2229698;11Dec2023 19:12:56.303256;[vs_0];[tid_0];[fw4_0];1:{global} appi_clobs_observer_execute_app_parameters: called, context_id = 144;

@;34216096.2229699;11Dec2023 19:12:56.303257;[vs_0];[tid_0];[fw4_0];1:{policy} appi_clobs_observer_execute_app_parameters: called with clob 0x7fa708b108f8, app_id 60342666;

@;34216096.2229700;11Dec2023 19:12:56.303259;[vs_0];[tid_0];[fw4_0];1:{policy} appi_clobs_observer_execute_app_parameters: offset = 27, header: 'Restrict-Access-To-Tenants:';

@;34216096.2229701;11Dec2023 19:12:56.303260;[vs_0];[tid_0];[fw4_0];1:{policy} appi_clobs_observer_execute_app_parameters: header to inject: 'Restrict-Access-To-Tenants:<company-domain>';

 

But we are still facing issues with Office365 Consumer Tenant. No where in the debug logs, I see a hit for 60529910 or the Office365-Consumer application.

 

Yes, raised a TAC case for O365 Consumer Tenant. No help yet. 

 

I have populated the following IDs and could enforce restrictions on Personal Outlook, Personal OneDrive, Personal Skype. only. Unfortunately, MS Teams, Word, Excel, PowerPoint still opens. If I can find out app_id for "Office Web Apps" application, I can restrict word, excel, powerpoint too.

 


Office365 60342666
Bing 10091087
Office365-enterprise 60523269
Outlook Web Access 60095716
Microsoft OneDrive-web 10051643
Office365 OneDrive-web 60519385
MSN-web 60461540
Microsoft Services 60521466
Skype 60096017
Microsoft Teams 60522962
Microsoft Account 10080892
Microsoft Services 60521466

0x41cipher
Participant
‎2024-04-18 03:37 AM
In response to chethan_m
Jump to solution

Please share the App IDs for Google Suite Applications. I am facing a similar issue with G-suite applications.

Thank you.

0 Kudos
chethan_m
Collaborator
‎2023-12-15 11:07 PM
Jump to solution

The issue is resolved now. R81.20 with its recommended JHF Take 41 had issues with Office365 tenant restrictions. The TAC sent custom hotfix that fixed the issue.

Screenshot 2023-12-15 211917.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events