Need to block access to Microsoft Copilot

AttiqRahman786 · ‎2024-08-28

Hello All,

I have blocked ChatGPT and Google Gemini, using their respective apps in App&URL policy. the access to these two is blocked.

but i cannot block Microsoft copilot uisng the "Microsoft Copilot" app.

I have also tried creating a custom app, using chat.bing.com which is forwarded to bing.com/chat, without any luck. Customer do not want to get blocked for bing.com, but only the chat/AI should be blocked.

Also tried blocking bing.com/chat (chat.bing.com gets forwarded to this) and used Regex as well, but for some reason, Microsoft copilot is not getting blocked.

even tried to manually override the bing.com/chat category.

SMS and Gateways on R81.10 JHA take 156.

Any help will be much appreciated.

Thanks

Chris_Atkinson · ‎2024-08-28

Have you tried the "Artificial Intelligence" category or is there a reason that you're attempting to be more specific?

CCSM R77/R80/ELITE

AttiqRahman786 · ‎2024-08-28

Yes i did try that first. it blocks lots of internal apps as well that are required. so decided to block only the specific ones.

Funny thing is Microsoft copilot was not blocked even when using the whole AI category.

Tal_Paz-Fridman · ‎2024-08-28

You can add the specific application to the rule:

AttiqRahman786 · ‎2024-08-28

Yes i have done the same thing. ChatGPT and Google Gemini are being blocked but not Microsoft Copilot.

Please see the image attached.

Tal_Paz-Fridman · ‎2024-08-28

I see. I will ask relevant teams to look at this.

AttiqRahman786 · ‎2024-08-28

Thanks a lot.

PhoneBoy · ‎2024-08-28

If you haven't already, I suggest opening a TAC case: https://help.checkpoint.com

the_rock · ‎2024-08-28

I did exactly what @Tal_Paz-Fridman suggested, worked fine. I also made sure its inspected by https policy and verified copilot.microsoft.com is blocked as well.

Andy

Best,
Andy

AttiqRahman786 · ‎2024-08-28

That could be the thing. we have not enabled https inspection, instead using SNI, and its working for other two Apps. not for MS Copilot though.

due to the URL redirection, I guess SNI is not working as expected.

@PhoneBoy what do you think, should raise a TAC case?

the_rock · ‎2024-08-28

That could be the issue, you most likely need ssl inspection turned on, not sure how it can work otherwise.

Andy

Best,
Andy

the_rock · ‎2024-08-28

Also, check out this post from 2021. I know that was before R81.20, but it has lots of GREAT responses.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Categorize-HTTPS-Websites/m-p/134729/emcs_t/S2...

Best,
Andy

AttiqRahman786 · ‎2024-08-28

That was a good read. Thanks a lot.

the_rock · ‎2024-08-28

No problem. @_Val_ explained it really well in one of his posts there.

Andy

Best,
Andy

PhoneBoy · ‎2024-08-28

To block a specific URL (e.g. bing.com/chat), you definitely will need HTTPS Inspection.
Possible that is required for the App Control signature to work.

AttiqRahman786 · ‎2024-08-29

Yes i understand. Thanks a lot.

the_rock · ‎2024-08-29

100% you would need ssl inspection enabled for the app control to fully function, for sure.

Let me try explain it in simple terms, hope it will make sense, but if not, let me know...so with ssl inspection on, fw will act as MITM (man in the middle), intercepting requests between client/server. Without it, yes, you can block pages, BUT, block page will never show up, as there would be nothing for the firewall to inspect/intercept.

Same goes for any app you wish to block.

Andy

Best,
Andy

Are you a member of CheckMates?

Need to block access to Microsoft Copilot