This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gil_Lim
Explorer
Monday

to allow URLs with wildcard destiations on non web browsing ports

Hello Checkmates! Anyone can help out how to allow following wildcard URLs on non web browsing traffic on R81.10? Can't use Non-FQDN object due to reverse DNS is not working and updatable object also not available. Destination *.bam.nr-data.net *.apse2.pure.cloud Ports/Services TCP/UDP: 3478 (STUN) TCP/UDP: 19302 (STUN) UDP 16384-32768 (SRTP/TURN) TCP: 8191 (HTTPS)
0 Kudos
6 Replies
PhoneBoy
Admin
Admin
Monday

For things that are actually HTTPS, you need to ensure the ports are configured here: 

image.png

However, you list several things that aren't HTTPS.
If the gateway is in the path between the client and their configured DNS server, Passive DNS Learning can help with non-FQDN Domain Objects.
https://support.checkpoint.com/results/sk/sk161612 

If the vendor in question provides a list of IPs in JSON or a flat file form, upgrade to R81.20 and use a Network Feed object.

Gil_Lim
Explorer
Monday
In response to PhoneBoy

New_application-Site.pngThanks for the updates.

we do use many Custom Application/site allowing Web Browsing Servers. 

If we add more ports under Application Control Web Browsing Services, the other Custom Applications/Sites will be affected by this and it end up allow extra ports for other  Custom Applications/Sites which we don't want to.

Hope that if there is an option to choose other then Web Browsing under New Application/Site.

 

 

Preview file
17 KB
0 Kudos
emmap
Employee
Employee
Monday
In response to Gil_Lim

If it's not actually web browsing then you should be using an FQDN object as the destination and then the services as normal. 

0 Kudos
PhoneBoy
Admin
Admin
Tuesday
In response to Gil_Lim

Yes, this is a global setting that affects all such Custom Application/Sites, which are primarily for applications that use HTTP/HTTPS.
For application that speak other protocols, you will need to use either a Domain Object or possibly a Network Feed (in R81.20), though I'm double checking it will work for this use case (e.g. including *.example.com).

PhoneBoy
Admin
Admin
Wednesday
In response to PhoneBoy

I double checked with R&D and confirmed that wildcards can be used in entries listed there (provided it’s something like *.example.com and not www.*.com, I.e. the wildcard is first).
This also requires Passive DNS Learning to be enabled, which requires the gateway to see all the DNS requests from the clients: https://support.checkpoint.com/results/sk/sk161612

0 Kudos
the_rock
Legend
Legend
Monday

100% you can do that. Just add more services where Phoneboy mentioned and you can do what I always do...so say you wish to block anything youtube, just add *youtube*

Hope that helps.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events