This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
hw
Explorer
‎2019-07-01 04:48 AM

Allow File Download from certain URLs

Hello,

we have R80.20 and normally we don't allow to download filetypes like "exe", "zip" etc.. Therefore we created a Threat Prevention policy with the action "prevent (defined in a profile)". Now we want do define some URls (as exceptions) where a file download is accpeted and allowed.

Does anybody know, how I can do this?

Thanks for any infos.

0 Kudos
6 Replies
Omer_Shliva
Employee
Employee
‎2019-07-01 10:38 PM

Hi,

Please share an example.

0 Kudos
hw
Explorer
‎2019-07-02 12:36 AM
In response to Omer_Shliva

Hi,

for example I want to download the file "KeePass" (and later also files from other URLs) from the URL https://www.heise.de/download/product/keepass-15712

Therefore I need an exception for the domain "*.heise.de", because normaly we deny to download filetypes as exe, zip.... 

I already tried to define an exception rule under the threat prevention rule (which blocks to download certain filetypes), however this doesn't work.

How can I implement this? 

Thanks.

0 Kudos
Omer_Shliva
Employee
Employee
‎2019-07-03 11:41 AM
In response to hw

Hi,

 

You can create a custom application in order to allow those certain URLs. Please refer to  sk103051 for download and guide.

Then, you can create an application for “.heise.de/download” with HTTP scenario:

1.jpg

After that, import the application into Smart Console and use it in a rule in the access policy on “allow”:

2.jpg

0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-03 01:37 PM
In response to Omer_Shliva

That only helps from an Access Control perspective.
Since he's blacklisting exes in general in Threat Prevention, he probably needs to create specific indicators that are set to "Detect" or "Inactive".
This means creating an indicator file that contains the necessary domains you want to allow and importing it.
See: https://sc1.checkpoint.com/documents/R80.20/SmartConsole_OLH/EN/-_ktjOvSNsVDDJA210OA3g2.htm
0 Kudos
hw
Explorer
‎2019-07-03 11:18 PM
In response to PhoneBoy

Thanks for your answers. I will try it. 

As I described I also tried an exception under the Threat prevention. It seems that it works only with a Regex expression for the domain heise.de and not with a wildcard definition.

So the Regex: .*\.heise\.de.* allows the download from the domain heise.de however the wildcard *.heise.de or *.heise.de* doesn't work. Is the syntax for the wildcard false? I don't understand why it doesn't work with a wildcard.

 

 

0 Kudos
hw
Explorer
‎2019-07-04 02:50 AM
In response to PhoneBoy

Thank you for the infos. I will try it.

As I described in my last post, I tried to accept the download with an exception rule under the threat prevention rule (rule which blocks all exe downloads). Now it seems, that the rule works, but only if I write the URL as a Regex expression and not as a wildcard.

So the regex works: .*\.heise\.de.* but not the wildcard *.heise.de or *.heise.de*. Is the syntax of the wildcard false? Is this also a correct way if i define a Threat prevention exception?

Thanks.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events