This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dkzndkqh
Contributor
‎2025-09-01 04:28 AM

The URL list inside the Custom Application/Site object is not being applied.

 

Here’s a natural English translation of what you wrote:

Currently, as seen from the nslookup, I have added the following domains to the URL list in a Custom Application/Site object:

 
gig-ai-g-prod-australiaeast-2-app-v4-tag.australiaeast.cloudapp.azure.com Address: 20.213.196.212
Aliases: dc.services.visualstudio.com
dc.applicationinsights.microsoft.com
dc.applicationinsights.azure.com
global.in.ai.monitor.azure.com
global.in.ai.privatelink.monitor.azure.com
dc.trafficmanager.net
australiaeast-global.in.applicationinsights.azure.com
gig-ai-prod-australiaeast-global.trafficmanager.net 
 

For each domain, I have added three entries in the URL list, for example:
dc.services.visualstudio.com, *.dc.services.visualstudio.com, *dc.services.visualstudio.com.

Despite this, the policy containing this Custom Application/Site object is not being applied.

So I tested using regular expressions. To access gig-ai-g-prod-australiaeast-2-app-v4-tag.australiaeast.cloudapp.azure.com, I added the first domain in the chain, dc.services.visualstudio.com, to the custom object’s list as:

\/dc.services.visualstudio.com
\.dc.services.visualstudio.com 
 

(Note: I did not remove the previous URL list entries that were not regular expressions.)

However, drop logs are still being generated starting from the first domain in the chain. If my understanding is correct, if the regular expressions for the first domain in the chain were being applied, the drop logs should appear for the second domain in the chain. Am I correct in thinking this?

current using : SG6200  R81.20SP JHT89 and management server : Smart1 5050 R81.20 JHT84

0 Kudos
16 Replies
PhoneBoy
Admin
Admin
‎2025-09-02 07:54 AM

Can you provide a full log card via a screenshot? (Redact any sensitive details)

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-09-02 04:32 PM

So what exact domain fails? If you can give us a log example, like @PhoneBoy had asked, it would help.

Andy

Best,
Andy
0 Kudos
dkzndkqh
Contributor
‎2025-09-02 06:22 PM
In response to the_rock

It seems that, according to the logs, the URL Filtering blade detects first, and then the Firewall appears.

The URLs to be allowed are as follows. They seem to be the URLs required for using the Azure service.

  • gig-ai-g-prod-australiaeast-0-app-v4-tag.australiaeast.cloudapp.azure.com
  • gig-ai-g-prod-australiaeast-1-app-v4-tag.australiaeast.cloudapp.azure.com
  • gig-ai-g-prod-australiaeast-2-app-v4-tag.australiaeast.cloudapp.azure.com
  • dc.services.visualstudio.com

The screenshot shows how the regular expression was written, but could it be that I made a mistake in the regular expression? For now, since I don’t know what kind of subdomain might appear under the URL to be allowed, I specified it in the format like \/gig-ai-g-prod-australiaeast-0-app-v4-tag\.australiaeast\.cloudapp\.azure.com. And to allow only the main domain itself, I specified it like \.gig-ai-g-prod-australiaeast-0-app-v4-tag.australiaeast.cloudapp.azure.com. 

Would the format ^gig-ai-g-prod-australiaeast-0-app-v4-tag\.australiaeast\.cloudapp\.azure.com only match the exact domain gig-ai-g-prod-australiaeast-0-app-v4-tag.australiaeast.cloudapp.azure.com?

Going further, ultimately I’m wondering why it doesn’t take effect even when I add the URLs into the existing Custom Application/Site list, and also why it doesn’t work when I use regular expressions. Could it be because the URL list inside is too large? There are about 290 entries, and most of the domains configured inside are using *.

Preview file
5 KB
Preview file
4 KB
Preview file
9 KB
Preview file
7 KB
Preview file
77 KB
Preview file
66 KB
Preview file
34 KB
Preview file
80 KB
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-09-02 06:24 PM
In response to dkzndkqh

Just add *cloudapp.azure* as custom app site and it will work.

Andy

Best,
Andy
0 Kudos
dkzndkqh
Contributor
‎2025-09-02 06:37 PM
In response to the_rock

When accessing the domain gig-ai-g-prod-australiaeast-0-app-v4-tag.australiaeast.cloudapp.azure.com, do I also need to register the actual SNI along with it?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-09-02 06:49 PM
In response to dkzndkqh

I dont have lab access atm, will check in the morning, but either way, if you use ordered layer with appc and urlf blades on or same as network layer, just create a rule with services as custom url object and add "cloudapp.azure" and see if it lets you check regular expression (used to be able to in R81.20), but may not in R82. Regardless if it does or not, that should work.

Andy

Best,
Andy
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-09-03 04:30 AM
In response to dkzndkqh

 

Have a look at https://regex101.com/, a good place for learning and testing RegEx !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2025-09-03 10:35 AM
In response to dkzndkqh

The hostname part of the URL is always matched on SNI, just FYI.
That applies even with full HTTPS Inspection enabled.
If you're having matching issues, that's where I'd start looking.

Yes, ^ anchors the expression at the beginning of the URL after https://.

0 Kudos
dkzndkqh
Contributor
‎2025-09-03 05:33 PM
In response to PhoneBoy

In the screenshot log I attached, the SNI value appears as dc.services.visualstudio.com. However, even if I add this URL to the URL list, it does not apply. Without using a regular expression, is there a better way to register it than using .services.visualstudio.com or dc.services.visualstudio.com?

0 Kudos
PhoneBoy
Admin
Admin
‎2025-09-04 02:32 PM
In response to dkzndkqh

SNI is in a field called Resource, I believe (not the Destination). 

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-09-04 02:41 PM
In response to PhoneBoy

In my research, the carat anchors before the "https", so you need to include the scheme in your expression.

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2025-09-03 01:50 AM

@dkzndkqh to use URL-Filtering on HTTPS websites you must use HTTPS inspection or the light version "Categorize HTTPS websites". With the light version the URLs have to be seen via the SNI.

Which application or service do you want to use ? Maybee a service from the "Updatable objects" can be used to allow instead of the the URL filter.

0 Kudos
dkzndkqh
Contributor
‎2025-09-03 05:33 PM
In response to Wolfgang

At present, I can only confirm that it is related to Azure services. I also do not know exactly which specific Azure service is being used.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-09-03 06:32 PM
In response to dkzndkqh

Have you tried using updatable objects to see if that makes a difference?

Andy

Best,
Andy
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2025-09-03 11:09 PM
In response to dkzndkqh

Question again..... Is HTTPS inspection and/or "categorize HTTPS websites" enabled ? URLF does not work for encrypted websites witout this.

As mentioned by @the_rock  and me you can try with the "Azure Services" as destination. If you use these updatable objects you don't need HTTPS inspection.

Screenshot 2025-09-04 080418.png

0 Kudos
dkzndkqh
Contributor
‎2025-09-04 01:12 AM
In response to Wolfgang

Currently, I am using Categorize HTTPS, not Inspection. Is the method of using updatable objects similar to FQDN?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events