topic Re: Content Awareness does not match to rule in Firewall and Security Management

Content Awareness does not match to rule

Fedor_Agafonov1 — Fri, 21 Jun 2019 12:19:01 GMT

Hello,

We have two web site: https://habr.com and https://habrastorage.org .

habr.com use images from https://habrastorage.org/ .

https://habrastorage.org/ include in URLs Categories : File Storage and Sharing .

We need to block URLs Categories : File Storage and Sharing, but images on habr.com need to be work.

We create two rules

but it isn't work...

for example image: https://habrastorage.org/getpro/habr/post_images/b09/090/87b/b0909087b281cd74df8fc2de8735758b.png

not match on firts rule. it match on the second rule.

Re: Content Awareness does not match to rule

Vladimir — Fri, 21 Jun 2019 12:59:40 GMT

Please verify that habr.com has "File Storage and Sharing" category associated with it.

You can create a custom app with its domain name and assign all necessary categories.

Alternatively, you can assign whatever category you want to the custom app for this domain, but use it in the top rule "Services and Application" column.

Re: Content Awareness does not match to rule

Timothy_Hall — Fri, 21 Jun 2019 13:00:25 GMT

Do you have HTTPS Inspection enabled? My guess is no. The second rule works because the application can be detected based on the site name without full HTTPS Inspection. The first rule doesn't work because Content Awareness cannot see the prohibited content you are trying to match inside the encrypted HTTPS connection unless HTTP Inspection is enabled.

Re: Content Awareness does not match to rule

Vladimir — Fri, 21 Jun 2019 13:23:59 GMT

@Timothy_Hall , you got to be right about HTTPS. After re-reading the original post, I see that the category does match on a second rule and not just dropping on cleanup. That's pretty convincing.

Re: Content Awareness does not match to rule

Fedor_Agafonov1 — Sat, 22 Jun 2019 13:40:48 GMT

Https inspection is enable, and work good.
We also enable kernel parameter "fw ctl set int fileapp_parse_html 1" . (sk114640)

Re: Content Awareness does not match to rule

Fedor_Agafonov1 — Sat, 22 Jun 2019 13:42:45 GMT

Https inspection is enable.

Re: Content Awareness does not match to rule

Fedor_Agafonov1 — Sat, 22 Jun 2019 13:46:14 GMT

habr.com has is not associate "File Storage and Sharing".
habr.com use image from https://habrastorage.org/ only.
https://habrastorage.org/ is associate "File Storage and Sharing"

Re: Content Awareness does not match to rule

Vladimir — Sat, 22 Jun 2019 13:53:44 GMT

Can you create and test a new rule by downloading .png files from elsewhere?

I'd like to see if it is a problem related to the content recognition.

Another good test would be to change the extension (for instance .docx to .png and try to download that file.

Re: Content Awareness does not match to rule

Timothy_Hall — Sat, 22 Jun 2019 14:03:06 GMT

As a test in your first rule in the Content field, set for "Any Direction, Any File" (not just "Any"). Do the PNG images now match the first rule? Just trying to see if Content Awareness is detecting things correctly at all in your situation...

Re: Content Awareness does not match to rule

Fedor_Agafonov1 — Sat, 22 Jun 2019 14:40:30 GMT

not match.

Also match on second rule.

in habr i see:

habrastarage.org is block:

Re: Content Awareness does not match to rule

Fedor_Agafonov1 — Sat, 22 Jun 2019 15:00:03 GMT

We tryed. It's not worked. If on inline policy have block rule on Categories, content awarnes not work on previevs rule.

Re: Content Awareness does not match to rule

Timothy_Hall — Sat, 22 Jun 2019 17:36:43 GMT

Why did you change the destination from "Any" to "Internet" in your second rule? Is your firewall topology configured completely and correctly so that object "Internet" is calculated properly?

Re: Content Awareness does not match to rule

Vladimir — Sun, 23 Jun 2019 13:28:57 GMT

Any chance you are downloading the files using QUIC?

Re: Content Awareness does not match to rule

PhoneBoy — Sun, 23 Jun 2019 20:08:20 GMT

The actual log messages (accept and drop) would be helpful here.
Not to mention elaborating on exact version/JHF level.

Re: Content Awareness does not match to rule

Fedor_Agafonov1 — Mon, 24 Jun 2019 09:21:51 GMT

QUIC is bloked.