Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gregory_Link
Contributor
Jump to solution

Reason why Checkpoint doesn't like my regex block for C2 traffic?

Trying to implement a regex block from a threat feed for known C2 traffic on app/url blade and policy will not install.  The only thing I noticed is the + operator that Checkpoint doesn't appear to like.  However, this conforms to PCRE format when I test on regex101.  Has anyone else dealt with this and how have you addressed it?

 

^https?:\/\/[^\x2f]+\/(?:[a-zA-Z0-9\._-]+\/)+[1-3]c\.jpg$

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend

Replicated using R80.30 JT 111 SMS + GW + GW Cluster:

- Verify is successfull

- Access policy install fails:

- Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 0-2000178).
---
According to sk154435:
 
Cause:

Custom application site object has a bad regular expression (regex) configured.

Solution:

Fix problematic regex syntax, or delete it from the database.

For example:

Problem in all the regex with the last hyphen inside the brackets. It must be escaped with backslash.

Change: ^https?:\/\/([A-Za-z0-9.-]+\.)?ama-assn\.org

To: ^https?:\/\/([A-Za-z0-9.\-]+\.)?ama-assn\.org

---

After changing the RegEx to

^https?:\/\/[^\x2f]+\/(?:[a-zA-Z0-9\._\-]+\/)+[1-3]c\.jpg$

Policy install succeeds

😎

Please try yourself, then mark this post as the solution...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

3 Replies
PhoneBoy
Admin
Admin
What release?
What specific error do you get?
0 Kudos
G_W_Albrecht
Legend Legend
Legend

Replicated using R80.30 JT 111 SMS + GW + GW Cluster:

- Verify is successfull

- Access policy install fails:

- Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 0-2000178).
---
According to sk154435:
 
Cause:

Custom application site object has a bad regular expression (regex) configured.

Solution:

Fix problematic regex syntax, or delete it from the database.

For example:

Problem in all the regex with the last hyphen inside the brackets. It must be escaped with backslash.

Change: ^https?:\/\/([A-Za-z0-9.-]+\.)?ama-assn\.org

To: ^https?:\/\/([A-Za-z0-9.\-]+\.)?ama-assn\.org

---

After changing the RegEx to

^https?:\/\/[^\x2f]+\/(?:[a-zA-Z0-9\._\-]+\/)+[1-3]c\.jpg$

Policy install succeeds

😎

Please try yourself, then mark this post as the solution...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Gregory_Link
Contributor

@G_W_Albrecht - Appreciate the help here.  Escaping the dash did the trick.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events