Create a Post
Showing results for 
Search instead for 
Did you mean: 

URL filtering not working

On the Checkpoint management server we have ordered layer for our access rules. 


Application and URL filtering.


We need to whitelist certain subnet to access certain specific urls and the rest of the Internet access from those subnet is denied by the default deny rule in the Application  and Url filetering rule base. Below are some of the urls I need whitelisted. 


So for this access I created a new custom Application/Site and created a rule in the application/url filtering rulebase with source as the subnet, destination as any and in service/applications I put the newly created custom application/site and action permit


When i check the custom Application/site i created I could see http, https is allowed.


Now when i try to access the website from the host in that subnet it is still getting blocked as per the default deny rule in the Application and url filtering rule base,even though I have kept the new created rule above default deny.


Can someone please help me to understand why this is causing this and what is the solution.

0 Kudos
4 Replies

Unless you are using R80.20 with JHF 117 or above or R80.30, the way we determine what site you are connecting to with HTTPS is the CN of the certificate of the site in question.
For, the CN says
For, the CN says *

That means you will either need to:
1. Change your rules to match what the CN says for the sites in question.
2. Upgrade to R80.20 JHF 117+ or R80.30 where we filter based on verified client SNI.

My gateway is on R80.10 and hardware is open server. 

On the newly created application/url list I have put the CN of the website


for , in the application/url list i have put * Still the https traffic to this url is getting blocked by the default deny instead of the allowed rule. 

0 Kudos

On our policy then would be entering as


As the allowed URL

URLs are defined a Regular Express is unchecked.

Gateway is R77.30

0 Kudos

It's possible that matching the CN of the certificate doesn't support wildcards.
Best to check with the TAC.
In any case, highly recommend upgrading from R80.10.

Another option is to use the Application Control Signature tool and create a SNI-based signature for the site in question.
0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events