This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
eth4_
Contributor
‎2021-12-08 06:49 AM

Custom application wildcard quandry

Hello,

I need to match several hundred sites with construction as follows:

https://category.100.somedomain.com

https://category.101.somedomain.com

...

https://category.nnn.somedomain.com

Where 'nnn' is some 3-digit number and the population of them is not known (by me) directly.

I cannot use '*.somedomain.com' because 'somedomain.com' in this case is a well-known online file storage site and I need to allow access only to those where 'category' matches our industry.  NOTE: There is an in-built application for this site but it doesn't permit the specific industry matching we require.

Under past TAC cases I've been advised to stay away from using regex expression out of performance concerns (in our case the first several regex custom applications seemed to work fine but when we added a 10th the enforcing gateways began to falter).

Ideally I'd like '?' to work like it does in many other products so I could use 'category.???.somedomain.com' but I don't see any mention of the '?' in the documentation on the topic.

What have you done in your environments in a situation like mine?

Thank you for reading.

0 Kudos
6 Replies
the_rock
Legend
Legend
‎2021-12-08 07:25 AM

What I always do in cases like this is something along these lines. So say, you want to allow EVERYTHING news.com, I just do *news* and works perfectly well. Now, for some sites, like linkedin, logmein etc, you have to also add corresponding apps to whitelist. Now, in your case, its a bit tricky. But, you could try with domain object...for example .*.category.*.domain.com OR for wildcard it may look like *.category.*.domain.*

I would be happy to do remote with you if you want and try get this working. I had been doing lots of this stuff in the past year or so.

0 Kudos
eth4_
Contributor
‎2021-12-08 08:15 AM
In response to the_rock

Thank you for your reply 'the_rock' - I've been under the impression that domain objects are not suitable for custom applications, is this belief misguided?

0 Kudos
the_rock
Legend
Legend
‎2021-12-08 08:29 AM
In response to eth4_

I would not say its misguided, but it really depends on the scenario. Personally, I ONLY use domain object if custom app site does not work.

You can check below posts as well:

 

https://community.checkpoint.com/t5/General-Topics/Domain-objects-FQDN-mode-vs-Custom-Applications-S...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
eth4_
Contributor
‎2021-12-08 04:14 PM
In response to the_rock

So sk165094 clearly states regular expressions and wildcards out of performance concerns but if you must use them avoid using wildcards in the regex.  Perhaps my previous attempts did just that and then explains why I've avoided them since.

In addition, this thread makes me think I need to stick with the 'custom application' approach (because 1) I'm working in the Application Control and URL Filtering blade and 2) the traffic is http/https):

https://community.checkpoint.com/t5/General-Topics/The-difference-between-checkpoint-creation-domain...

I'll see what I get with (the trailing '\/' is courtesy of sk174194):

\/category-[0-9][0-9][0-9]\.domain\.com\/

I do appreciate your review and comments.

0 Kudos
the_rock
Legend
Legend
‎2021-12-08 04:20 PM
In response to eth4_

Personally, I never bother with regular expressions. I cant count how many times I worked with TAC trying to make that worked and it always fails. I just use approach I mentioned and never have any issues.

0 Kudos
eth4_
Contributor
‎2021-12-09 05:27 AM
In response to eth4_

Traffic is matching, now to see if the regex introduces too much processing overhead.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events