This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JPR
Collaborator
‎2025-02-19 02:18 AM

Zoom and Custom Application/Site

I got two questions I hope some of you can help me with.

1)

I have a rule in my rulebase that looks like this:

zoom.png

The content of the Custom Application Site is this:

zoom1.png

I have a rule further down that blocks various categories. When I go to https://zoom.com it hits the rule above and I get to the site. When I go to https://zoom.us it doesn't hit the rule above, but continues and gets blocked by the rule that block various categories. Do any of you have any idea as to why that is?

2)

Zoom.us gets blocked because it falls into the category of "Web Confenrencing":

blockzoom.jpg

The funny thing is, though, we don't block for that:

blockcat.png

Do any of you have an idea to why it gets blocked anyway?

Thanks!

0 Kudos
9 Replies
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2025-02-19 02:26 AM

Have you tried using the predefined Zoom applications?

 

Zoom Application.png

 

Zoom Applications.png

JPR
Collaborator
‎2025-02-19 02:50 AM
In response to Tal_Paz-Fridman

Sorry, I can see I needed to add a bit more context.

The thing is, that it is an inline rule:

zoominlinwe.png

So we allow conncetions to zoom.com and zoom.us unless it is one of these URLS:

zoomdeny.png

We don't allow people to join Zoom meetings from our internal environment, but they need to be able to schedule meetings and so on.

0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2025-02-19 04:10 AM
In response to JPR

Hi @JPR 

The HTTPs Inspection is enabled on the firewall?

 

2025-02-19 13_14_28-Zoom and Custom Application_Site - Check Point CheckMates.png

https://support.checkpoint.com/results/sk/sk106623

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-19 08:09 AM

That’s weird because zoom.us shows up as Computers/Internet when I look it up:

IMG_2893.jpeg

Do the logs explicitly say this is the rule that is blocking the traffic?
And are you using HTTPS Inspection because you can’t block on a specific HTTPS URL without it.

JPR
Collaborator
‎2025-02-20 02:42 AM
In response to PhoneBoy

I've tried to modify my rule(s) the way Akos suggested and it worked yesterday, but this morning zoom.us was again being blocked:

zoomblock.jpg

HTTPS Inspection in enabled and it gets inspected, however, I no longer see any categorization in the actual log:

httpsi.jpg

And I experience the same for cran.r-project.org that gets categorized as Computer/Internet (which we don't block), however, it hits our blocking of categories rule. And again there's no category in the log in SmarteConsole.

The above was a mistake. cran.r-project.org is categorized as Software Downloads and that we are blocking (r-project.org is categorized as Computers/Internet and works); my bad...

I still don't see any categories in the Smart Console logs. Is that an issue, though?

Any ideas? 😕

0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-20 05:19 AM
In response to JPR

I suggest involving TAC here.

the_rock
MVP Platinum
MVP Platinum
‎2025-02-20 09:55 AM
In response to JPR

What I always do in my lab is create custom category like you did, but simply add *zoom*, thats it.

Andy

Best,
Andy
JPR
Collaborator
‎2025-02-21 06:46 AM
In response to JPR

Thanks to all of you; always appreciate your input 🙂

I think I got it to work, however, I'm still a little worried/suspicious as to why it started working rather randomly especially access to zoom.us.

I tried with URLs as Regex as Akos suggested, but I've ended up just doing it non-regex and it seems to work after some trial and error with the URLs.

I'm considering involving TAC regarding the issue with categorization and missing categories in the log file, but I just want to be sure it's not just a simple mistake in my end.

the_rock
MVP Platinum
MVP Platinum
‎2025-02-21 06:49 AM
In response to JPR

I think thats a good idea, they can definitely confirm.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events