Need to allow access to a specific URL

I need to allow access to a specific download URL for the Splashtop SOS download at https://d17kmd0va0f0mp.cloudfront.net/sos/SplashtopSOS.exe. I tried adding an exclusion in HTTPS DPI exceptions and I tried adding a URL exclusion in the proxy, but nothing I do allows it. For the exceptions in both areas (DPI and URL), I tried both of these to no avail.

https://d17kmd0va0f0mp.cloudfront.net/sos/SplashtopSOS.exe
d17kmd0va0f0mp.cloudfront.net/sos/SplashtopSOS.exe

Is it even possible to allow access to an exact URL?

Gregg

Gregg Hill

Comments

  • When I click this link I get that SplashtopSOS.exe is a binary file, and do I want to allow it.

  • When I click that link, the SplashtopSOS.exe file downloads.
    Have you confirmed that .exe's are NOT blocked in your HTTP Proxy?

  • Bruce,

    You probably still have the global *.cloudfront.net exception in your HTTPS DPI. I disabled that global exception because think it's a security risk because possibly anyone can host whatever they desire (ransomware) on cloudfront.net and then we're all screwed. I do block exectuables in my HTTP proxy and it works, which is why I get blocked here when I don't have the *.cloudfront.net exception enabled in DPI.

    It would be moot if I could figure out the syntax to use to get an exact URL to work.

    Gregg

    Gregg Hill

  • Did you add an Allow entry in your HTTPS proxy action for:
    d17kmd0va0f0mp.cloudfront.net
    ?

  • I don't know it if is safe to allow only d17kmd0va0f0mp.cloudfront.net instead of the exact URL I need of https://d17kmd0va0f0mp.cloudfront.net/sos/SplashtopSOS.exe, so no, I did not try that.

    Let me ask this a different way. Is it even possible to allow an exact URL to be exempted, such as https://anyrandomdomainiexempt.whocareswhere.com/mydesiredfile.exe?

    Gregg

    Gregg Hill

  • I just asked Splashtop's support if they have exclusive access to the d17kmd0va0f0mp.cloudfront.net FQQDN. If they do, then I can just use that, but I still have my original question.

    Gregg Hill

  • DPI entries are for a Domain Name, not a URL.
    And, since this is for a HTTPS web site, one would never prepend HTTPS:// since that is a given.
    Same for a HTTP domain name or a HTTP URL - one would not enter HTTP:// - just the stuff after it.

  • Bruce,

    As noted in my original post, I also have tried d17kmd0va0f0mp.cloudfront.net/sos/SplashtopSOS.exe by itself. It does not work in a proxy in the HTTP Requests > URL Paths either.

    I don't care WHERE the exception needs to be made. I just want to know if it CAN be made ANYWHERE in a config for an exact match of either

    https://d17kmd0va0f0mp.cloudfront.net/sos/SplashtopSOS.exe
    or
    d17kmd0va0f0mp.cloudfront.net/sos/SplashtopSOS.exe

    I am still waiting to hear back from Splashtop if the d17kmd0va0f0mp.cloudfront.net FQDN is theirs exclusively.

    Gregg

    Gregg Hill

  • d17kmd0va0f0mp.cloudfront.net/sos/SplashtopSOS.exe IS NOT A DOMAIN NAME !!!!!
    This is:
    d17kmd0va0f0mp.cloudfront.net

  • Bruce,

    This "d17kmd0va0f0mp.cloudfront.net" is NOT a domain name. THAT is a Fully Qualified Domain Name (FQDN). The domain name is just "cloudfront.net", but that's a moot point anyway, because it is not what I have been asking about allowing.

    I KNOW what a domain name is and what an FQDN is. You are missing what I have been asking all along. In the first sentence of my original post, I stated, "I need to allow access to a specific download URL for the Splashtop SOS download at https://d17kmd0va0f0mp.cloudfront.net/sos/SplashtopSOS.exe."

    That is the specific URL I want to allow now, BY ANY MEANS POSSIBLE, and there could be others later. I don't care where I have to create the exception. All I know is that it fails to work if it is in the HTTPS DPI exceptions, where exceptions are supposed to be for domain names but it accepts that full URL. Even in the HTTP proxy's HTTP Response > URL Paths, it fails to allow it.

    All I asked in my original post was, "Is it even possible to allow access to an exact URL?"

    I later stated, "It would be moot if I could figure out the syntax to use to get an exact URL to work."

    I asked again, "Let me ask this a different way. Is it even possible to allow an exact URL to be exempted, such as https://anyrandomdomainiexempt.whocareswhere.com/mydesiredfile.exe?"

    I am not asking if it can be done only in the HTTPS proxy. I am asking if it can be done ANYWHERE in a config to allow an exact URL.

    Gregg

    Gregg Hill

  • Well, Splashtop just got back to me and the d17kmd0va0f0mp.cloudfront.net FQDN is exclusively theirs, so I can make that HTTP DPI exception.

    HOWEVER, the primary question I asked still remains unanswered, as to whether or not an exact URL can be exempted ANYWHERE in a config.

    Gregg

    Gregg Hill

  • edited November 2019

    Not really.
    For this case, since this site is a HTTPS site, you need to have an Inspect entry for the domain on your HTTPS proxy.
    Then on the HTTP proxy action on your HTTP proxy action, you can have 2 URL entries - 1 allowing your exact URL, and a 2nd denying everything else from that domain d17kmd0va0f0mp.cloudfront.net/*

    For a HTTP site, the HTTP Exception is also only a domain name.

    Just because you can add something in a Domain Name field which is not a domain name (i.e. a full URL), does not make it work.

  • Ricardo_ArroyoRicardo_Arroyo WatchGuard Representative
    edited November 2019

    Currently the firebox blocks malicious URLs with one of two services:

    • WebBlocker
    • Reputation Enabled Defense

    After looking through the WebBlocker Configuration on my T70 I noticed you can set a WebBlocker Exception with a disposition of Block. This likely means anything in the exception list is evaluated before querying the Cloud service. This means you can effectively block or accept this URL in WebBlocker. This also depends on where you are blocking "d17kmd0va0f0mp.cloudfront.net" currently.  If this is being blocked by the Domain Rules in your HTTP(S) proxy or by App Control, it won't get to WebBlocker. Can you post a few log line showing where this is being blocked?

    Ricardo Arroyo | Sr. Technical Product Manager / ThreatSync Guru
    WatchGuard Technologies, Inc.

  • Ricardo,

    I am not intentionally blocking "d17kmd0va0f0mp.cloudfront.net" anywhere. What is blocked is the exact URL with the EXE file in the path, https://d17kmd0va0f0mp.cloudfront.net/sos/SplashtopSOS.exe, just like any other random site with an EXE download (other than approved sites).

    The HTTP proxy WebBlocker is blocking it via the Windows EXE/DLL blocking; it's not blocking based upon the FQDN.

    Maybe a regex in the WebBlocker exceptions would work, because it won't take the d17kmd0va0f0mp.cloudfront.net/sos/SplashtopSOS.exe there.

    Gregg

    Gregg Hill

  • Since you are blocking .exe files on a HTTP proxy action in the Body Content Types section, there is no way to get around that other than using a different policy to access that .exe

  • OK. In this instance, I'll just add an HTTPS DPI exception for the d17kmd0va0f0mp.cloudfront.net FQDN because it is exclusively Splashtop's...unless it gets hacked.

    Gregg Hill

Sign In to comment.