URL Block Feature

Description

The URL Block feature provides the ability to block malicious traffic to and from certain URLs.

The URL Block feature requires the list of malicious URLs as a feed (URL).

The URL Block feature runs periodically, fetches the URL list again and updates the URLs in the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. based on the list in the feed.

The blocking mechanism is enforced by an Access Control ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. with a custom Application.

CLI

url_block -h

url_block -a -n <NAME> -p <URL> -z {true | false} [-x <PASSWORD>] -r {true | false}

url_block -d -n <NAME>

url_block -i <INTERVAL>

url_block -l

Parameter

Description

-h

--help

Shows the built-in help.

-a

--add-url

Adds URL feed to the configuration.

-n <NAME>

Specifies the name of the custom Application object as configured in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

-p <URL>

--path <URL>

Specifies the URL of your web server that hosts the file with the list of malicious URLs.

Example: http://192.168.20.30/

Note - This URL must end with the slash and must not contain the name of the file.

-d

--del-url

Deletes URL feed from the configuration.

-z {true | false}

--zip {true | false}

Specifies that URL feed is a ZIP archive (value "true").

-x <PASSWORD>

--zip-pass <PASSWORD>

Specifies the password for the ZIP archive with the URL feed.

-r {true | false}

--regex {true | false}

You must specify this parameter with the value "true", if in SmartConsole in the object of the custom Application you selected URLs are defined as Regular Expressions.

Otherwise, you must specify this parameter with the value "false".

-l

--list-urls

Shows the configured URL feed.

-i <INTERVAL>

--interval <INTERVAL>

Specifies the interval in seconds.

Procedure

Follow these steps in SmartConsole and on the Security GroupClosed A logical group of Security Gateway Modules that provides Active/Active cluster functionality. A Security Group can contain one or more Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway..

Step

Instructions

1

Prepare a plain text file with the list of malicious URLs:

  1. Each URL must be on a separate line.

  2. The name of this file must be urls.txt (case sensitive).

  3. Place this file on your web server.

2

Connect with SmartConsole to the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

3

Create a new custom Application object:

From the right panel Objects, click New > More > Custom Application/Site > Application/Site.

4

In the Application/Site window:

  1. Enter a name (for example, MyURLs)

    You use this name later in the CLI on the Scalable Platform.

  2. From the left, click the General page.

  3. In the General section, in the Primary Category field, select Custom_Application_Site.

  4. In the Match By section, click the plus icon (+) and add the URL of the web server that hosts the file with the list of malicious URLs.

    Example: http://192.168.20.30/

    Note - This URL must end with the slash and must not contain the name of the file (urls.txt).

  5. Click OK.

5

In the applicable Access Control policy, add a new rule that drops all traffic that matches the new Application:

Source

Destination

VPN

Services & Applications

Action

Track

Any

Any

Any

Object of the Custom Application

Drop

None

6

Connect to the command line on the Security Group.

7

Log in to the Expert mode.

8

Configure the URL for the feed:

url_block -a -n <Name of Custom Application Object> -p <URL of Your Web Server> ...

Example:

url_block -a -n MyUrls -p http://192.168.20.30/ -z false -r false

Note - This can be a file on your own web server.

9

Start the periodic run at the specified intervals:

url_block –i <INTERVAL>

10

Examine the configuration:

url_block -l

Example output:

Refresh time interval: 300
MyUrls
        Path: http://192.168.20.30/
        Zip: false
        Regex: false

11

In SmartConsole, install the Access Control Policy on the Security Group object.

12

Examine the log on the Security Group:

/var/log/rul_block.elg