This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nw-team01
Participant
‎2020-10-14 06:54 AM

Wildcard fqdn not matching R80.40

Hi,

I have a problem using wildcard fqdn's in R80.40, here is the exact issue:

DE-FRA-ANX-P002.teamviewer.com

will not match to: .*.teamviewer.com  or .*teamviewer.com or .teamviewer.com 

No matter what combination i try, all traffic towards teamviewer.com ends up in the cleanup rule.

Similar issues with other domains also: .*citrixonline\.*, .*gotomeeting\.*...

Can anyone help me with this?

5 Replies
PhoneBoy
Admin
Admin
‎2020-10-14 07:04 AM

What precise object type are you using to create this?
Perhaps a screenshot would help.

If it’s a Domain object, this won’t work at all since that relies on reverse DNS which is almost never going to resolve to the correct name.
If it’s a Custom Application/Site, then it will only work for HTTP/HTTPS traffic.

I’m also pretty sure we have an App Control definition for TeamViewer which I recommend instead.

0 Kudos
nw-team01
Participant
‎2020-10-14 07:20 AM
In response to PhoneBoy

So i gather that domain Objects are not the way to got with this.

i'm glad you mentioned App Control definition for TeamViewer, i was going to make a separate post for this. As using this results in a permit any for all ports matched in the App Control definition for TeamViewer. Including http and https.

Connections are permitted with this reason:

Connection terminated before detection: Insufficient data passed.
To learn more see sk113479.

 

I've atached some screenshots.

Thanks for your help.

ALC_1.JPG
Preview file
24 KB
Log_2.JPG
Preview file
125 KB
Log_1.JPG
Preview file
116 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2020-10-14 08:33 PM
In response to nw-team01

That’s the way App Control works: some traffic has to be allowed on the relevant ports for TeamViewer in order to determine it’s actually TeamViewer.
If the connection terminates before we’ve made a determination, which usually requires a few packets, then yes, that connection will be allowed.

What is your precise goal here?
Is it to allow access to TeamViewer’s website, using the TeamViewer application, or?
The TeamViewer website may require a different rule than the Application Signature, which is more for the TeamViewer application itself.

0 Kudos
_Val_
Admin
Admin
‎2020-10-14 11:53 PM

FQDN is not a wildcard, is it?

0 Kudos
nw-team01
Participant
‎2020-10-15 12:41 AM
In response to _Val_

Yes, i have now learned that wildcard fqdn's dont work.

My goal is to get teamviewer working again. Something on the end user PC's changed and the proxy settings are ignored, of course no one knows why. And only our Sites in Romania are affected.

I've just tested again using the App Control definition for TeamViewer, that works fine for me.

 

Slightly off topic here, but regarding fqdn's. I use the ip block tool described in sk103154 and beside some dynamic feeds i also feed a list (attached) of fqdn's and IP's that i manually edit. That should be fine i hope when not using wildcards..?

blacklist.txt
Preview file
2 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top