This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gregory_Link
Contributor
‎2019-12-05 01:02 PM

Reason why Checkpoint doesn't like my regex block for C2 traffic?

Jump to solution

Trying to implement a regex block from a threat feed for known C2 traffic on app/url blade and policy will not install.  The only thing I noticed is the + operator that Checkpoint doesn't appear to like.  However, this conforms to PCRE format when I test on regex101.  Has anyone else dealt with this and how have you addressed it?

 

^https?:\/\/[^\x2f]+\/(?:[a-zA-Z0-9\._-]+\/)+[1-3]c\.jpg$

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend
Legend
‎2019-12-06 02:34 AM
In response to PhoneBoy

Jump to solution

Replicated using R80.30 JT 111 SMS + GW + GW Cluster:

- Verify is successfull

- Access policy install fails:

- Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 0-2000178).
---
According to sk154435:
 
Cause:

Custom application site object has a bad regular expression (regex) configured.

Solution:

Fix problematic regex syntax, or delete it from the database.

For example:

Problem in all the regex with the last hyphen inside the brackets. It must be escaped with backslash.

Change: ^https?:\/\/([A-Za-z0-9.-]+\.)?ama-assn\.org

To: ^https?:\/\/([A-Za-z0-9.\-]+\.)?ama-assn\.org

---

After changing the RegEx to

^https?:\/\/[^\x2f]+\/(?:[a-zA-Z0-9\._\-]+\/)+[1-3]c\.jpg$

Policy install succeeds

😎

Please try yourself, then mark this post as the solution...

CCSE CCTE SMB Specialist

View solution in original post

3 Replies
PhoneBoy
Admin
Admin
‎2019-12-05 03:27 PM

Jump to solution
What release?
What specific error do you get?
0 Kudos
G_W_Albrecht
Legend
Legend
‎2019-12-06 02:34 AM
In response to PhoneBoy

Jump to solution

Replicated using R80.30 JT 111 SMS + GW + GW Cluster:

- Verify is successfull

- Access policy install fails:

- Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 0-2000178).
---
According to sk154435:
 
Cause:

Custom application site object has a bad regular expression (regex) configured.

Solution:

Fix problematic regex syntax, or delete it from the database.

For example:

Problem in all the regex with the last hyphen inside the brackets. It must be escaped with backslash.

Change: ^https?:\/\/([A-Za-z0-9.-]+\.)?ama-assn\.org

To: ^https?:\/\/([A-Za-z0-9.\-]+\.)?ama-assn\.org

---

After changing the RegEx to

^https?:\/\/[^\x2f]+\/(?:[a-zA-Z0-9\._\-]+\/)+[1-3]c\.jpg$

Policy install succeeds

😎

Please try yourself, then mark this post as the solution...

CCSE CCTE SMB Specialist
Gregory_Link
Contributor
‎2019-12-06 05:26 AM
In response to G_W_Albrecht

Jump to solution

@G_W_Albrecht - Appreciate the help here.  Escaping the dash did the trick.

0 Kudos