topic Re: Content Awareness not working properly in Firewall and Security Management

Content Awareness not working properly

JPR — Thu, 20 Apr 2023 09:10:47 GMT

Hi all,

I’m using Content Awareness to block for exe files, however, I’m having difficulties making it work properly.

At the moment it is a very simple rule:

src=IP’s of internal hosts

Dst = Internet

Services & Applications = Any

Content = (Any Direction) Executable File

Action = Drop

I’m testing with 7-zip from https://www.7-zip.org/download.html. When I download the x64 version it downloads and doesn’t register the exe file. However, when I download the x32 version it blocks it accordring to the rule.

I’m also using HTTPS Inspection and it inspects traffic in both instances according to policy.

Version: R81, Take 81

Have any of you experienced anything like this and have any ideas as to how to fix it?

Thanks.

Re: Content Awareness not working properly

PhoneBoy — Fri, 21 Apr 2023 20:10:10 GMT

What precise rule accepts the traffic otherwise?
In any case, I recommend a TAC case to assist in troubleshooting: https://help.checkpoint.com

Re: Content Awareness not working properly

the_rock — Fri, 21 Apr 2023 20:20:41 GMT

Thats wrong and I will tell you why. I know it may sound stupid what I will say now, but, when it comes to content awareness, using services as any will never work properly. You need to use http and https in there.

Give that a go and see what happens. If still same issue, please send a screenshot (blur out any sensitive info). I spent way too many hours with TAC escalations working on this lol

Cheers,

Andy

Re: Content Awareness not working properly

Chris_Atkinson — Sun, 23 Apr 2023 10:39:15 GMT

The admin guide documents this as follows:

Source: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Quantum_SecurityGateway_Guide/Topics-FWG/Content-Awareness-Blade.htm

Additional caveats are outlined as follows:

Source: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SecurityManagement_AdminGuide/Topics-SECMG/The-Columns-of-the-Access-Control-Rule-Base.htm?Highlight=%22content%20column%22

Some best practices:

Source: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SecurityManagement_AdminGuide/Topics-SECMG/Best-Practices-for-Access-Control-Rules.htm

Re: Content Awareness not working properly

the_rock — Sun, 23 Apr 2023 14:50:10 GMT

See, the issue is, I only worked with 1 esc. guy who knew anything about content awareness. Now, in all fairness, I cant blame TAC for that, as its probably not something lots of customers use, so I dont expect to get someone with solid knowledge about it, its more trial and error as they say. Thats why I have it configured in the lab, so no one cares if it breaks, easy to reconfigure again : - )

Re: Content Awareness not working properly

JPR — Tue, 25 Apr 2023 09:59:04 GMT

Thanks for your reply.

I've now tried this and it didn't solve the issue, unfortunately, However, I seem to have been able to create a scenario, when it works - and when it doesn't.

If I open Chrome in Incognito and paste this URL into my browser: Thanks for your reply.

I've now tried this and it didn't solve the issue, unfortunately, However, I seem to have been able to create a scenario, when it works - and when it doesn't.

If I open Chrome in Incognito and paste this URL (mirror site to download VLC, but slightly sanitized) into my browser: https://mirror.safe-con[.]dk/vlc/vlc/3.0.18/win64/vlc-3.0.18-win64.exe it blocks it according to the rule (208 in screenshot). If I then try again it accepts it and skips the rule and accepts it (rule 239 in screenshot):

At the moment the rule looks as follows:

Re: Content Awareness not working properly

Chris_Atkinson — Wed, 26 Apr 2023 01:11:09 GMT

You can see in the services column that the browser is using QUIC protocol for the communication in some cases rather than HTTPS.

The Gateway cannot inspect QUIC traffic in current versions and it is recommended to block it (or disable it in the browser) to force the use of HTTPS instead which in turn should allow Content Awareness to apply.

Refer also: sk108202 / sk111754 / sk112249