Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
civoulkidis
Contributor

Best Practice when blocking URL

Jump to solution

Hi,

I would like some comments from the most experienced users about the best practice when blocking URL.

What I am trying to do is to block specific URL.

These URL may be part from 2 categories:

  1. Phishing sites (not yet categorized by CheckPoint)
  2. Normal web sites
 

What I have done as far:

Rule: Source-Any, Destination : Network Group Which includes destination objects (Domain, Host etc) , Action:Drop

urlblck.jpg

The network group contains Domain objects (For example if I want to block http://blockme.com/jgsgjs/fjsh/ I create a domain object .blockme.com 

In this way I block all the domain which sometimes is not good.

For example when I want to block the phishing URL: https://firebasestorage.googleapis.com/v0/b/kasyropnz.appspot.com/o/faswusamino.html

I have to block all the domain .firebasestorage.googleapis.com which is not acceptable.

Any suggestions about the best practice?

 

0 Kudos
1 Solution

Accepted Solutions
the_rock
Authority
Authority

I will tell you what I always do and it works 100% of the time...I know Im not nearly as experienced as most folks here, but take it for what its worth : -). Ok, so just to give you a simple example, say you wish to block anything facebook and youtube, I would do exact same rule like you have, but in the destination, for url group, I put in custom links and say *facebook* and *youtube*, thats it. I included a screenshot for your reference.

Andy

View solution in original post

0 Kudos
8 Replies
the_rock
Authority
Authority

I will tell you what I always do and it works 100% of the time...I know Im not nearly as experienced as most folks here, but take it for what its worth : -). Ok, so just to give you a simple example, say you wish to block anything facebook and youtube, I would do exact same rule like you have, but in the destination, for url group, I put in custom links and say *facebook* and *youtube*, thats it. I included a screenshot for your reference.

Andy

View solution in original post

0 Kudos
civoulkidis
Contributor

*facebook* means that any url that contains the word facebook is matched?

0 Kudos
the_rock
Authority
Authority

yes sir!

0 Kudos
civoulkidis
Contributor

Is there any guide about Regular Expressions?

For example I want to match and block the url https://10120-0000-00010.pages.dev which contains malicious.

This Reg Exp is not working.     /10120-0000-00010.pages.dev/ 

This is working but I have a warning for performance (sk165094)

*10120-0000-00010.pages.dev*

0 Kudos
Marcel_Gramalla
Collaborator

Look at sk106623

Basically for your example the RegEx would be \/10120-0000-0010\.pages\.com and for including subdomains additionally \.10120-0000-0010\.pages\.com

0 Kudos
civoulkidis
Contributor

10120-0000-00010\.pages\.dev  worked for me and blocked the specific url

Note that I did not use /....../ at the beginning and at the end.

I have also checked "URLs are defined as Regular Expression". Is that correct?

 

0 Kudos
Marcel_Gramalla
Collaborator

Yes, this is correct. Please note that without the /\ at the beginning you will also block abc10120-0000-0010.pages.com. Check that with a RegEx Tester like regex101.com.

the_rock
Authority
Authority

@Marcel_Gramalla is correct. Personally, sk that pops up when you make those changes, you can follow it, but to make it simplified, if I need to block a full fqdn, I just do it without TLD (top level domains, such as .com, .org, .edu, .me...as I stated in my first response. It never fails and thats why I keep using that approach.