Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sree_checkpoint
Explorer

URL filtering not working

On the Checkpoint management server we have ordered layer for our access rules. 

Access 

Application and URL filtering.

 

We need to whitelist certain subnet to access certain specific urls and the rest of the Internet access from those subnet is denied by the default deny rule in the Application  and Url filetering rule base. Below are some of the urls I need whitelisted.

https://api.nuger.org

https://www.nuget.org/ 

 

So for this access I created a new custom Application/Site and created a rule in the application/url filtering rulebase with source as the subnet, destination as any and in service/applications I put the newly created custom application/site and action permit

 

When i check the custom Application/site i created I could see http, https is allowed.

 

Now when i try to access the website from the host in that subnet it is still getting blocked as per the default deny rule in the Application and url filtering rule base,even though I have kept the new created rule above default deny.

 

Can someone please help me to understand why this is causing this and what is the solution.

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Unless you are using R80.20 with JHF 117 or above or R80.30, the way we determine what site you are connecting to with HTTPS is the CN of the certificate of the site in question.
For api.nuger.org, the CN says surveymonkey.eu.
For www.nuget.org, the CN says *.nuget.org.

That means you will either need to:
1. Change your rules to match what the CN says for the sites in question.
2. Upgrade to R80.20 JHF 117+ or R80.30 where we filter based on verified client SNI.
Sree_checkpoint
Explorer

My gateway is on R80.10 and hardware is open server. 

On the newly created application/url list I have put the CN of the website

 

for https://www.nuget.org , in the application/url list i have put *.nuget.org. Still the https traffic to this url is getting blocked by the default deny instead of the allowed rule. 

0 Kudos
mdjmcnally
Advisor

On our policy then would be entering as

*nuget.org*

As the allowed URL

URLs are defined a Regular Express is unchecked.

Gateway is R77.30

0 Kudos
PhoneBoy
Admin
Admin

It's possible that matching the CN of the certificate doesn't support wildcards.
Best to check with the TAC.
In any case, highly recommend upgrading from R80.10.

Another option is to use the Application Control Signature tool and create a SNI-based signature for the site in question.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events