https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-configure-the-gateway-to-reject-downloads-greater-than-X/m-p/199060#M37291 <P>Hello,</P><P>We discovered that checkpoint is compatible with some file extensions.</P><P>We were testing on a website that downloads files with the .dat extension. This extension is not compatible, so it did not match the rule.</P><P>Reference follows:</P><P><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_DataLossPrevention_AdminGuide/Topics-DLPG/Defining-New-File-Types.htm" target="_blank">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_DataLossPrevention_AdminGuide/Topics-DLPG/Defining-New-File-Types.htm</A></P><P>For our configuration to work, we use content awareness and https inspection.</P> Mon, 27 Nov 2023 19:32:36 GMT Marquevis 2023-11-27T19:32:36Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-configure-the-gateway-to-reject-downloads-greater-than-X/m-p/198834#M37233 <P>Hello everybody.</P><P>I received a request from a customer to configure a rule in the gateway policy to block downloads of files larger than 500 MB.</P><P>I enabled https inspection to the gateway can do full inspection on the HTTPS protocol and I enabled the content Awareness blade so I can create the rules.</P><P>Import the https inspection certificate to the client machine and see the inspection being done.</P><P>I created the rule in my policy with the source being an AD group, the destination INTERNET and in the "Content" column I put it to consider any direction. I also added the "Large Archive", "Large Archive" objects and a few others (the screenshot is attached).</P><P>I configured the "Large Archive" and "Large Archive" objects to identify files larger than 500 GB in the properties. I even put a smaller size (for example 1MB, 10MB) to test too.</P><P>When the client starts downloading the file (for example, a 1 GB ISO) I see that the traffic does not match the rule I created.</P><P>So I have two questions: Can I meet the customer's requirements at the gateway? If so, what else needs to be done?</P><P>The customer has a centrally managed enterprise gateway cluster in version R81.10 take 95.</P> Fri, 24 Nov 2023 13:14:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-configure-the-gateway-to-reject-downloads-greater-than-X/m-p/198834#M37233 Marquevis 2023-11-24T13:14:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-configure-the-gateway-to-reject-downloads-greater-than-X/m-p/198965#M37261 <P>Which rule is being matched when you download a large file?</P> Mon, 27 Nov 2023 09:14:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-configure-the-gateway-to-reject-downloads-greater-than-X/m-p/198965#M37261 _Val_ 2023-11-27T09:14:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-configure-the-gateway-to-reject-downloads-greater-than-X/m-p/198966#M37262 <P>Which rule is being matched when you download a large file?</P> Mon, 27 Nov 2023 09:14:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-configure-the-gateway-to-reject-downloads-greater-than-X/m-p/198966#M37262 _Val_ 2023-11-27T09:14:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-configure-the-gateway-to-reject-downloads-greater-than-X/m-p/198967#M37263 <P>Also, did you try to change the Access Role to just the local network? Is file downloaded through office to internet HTTPS session? Not enough info here to help you out.</P> Mon, 27 Nov 2023 09:16:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-configure-the-gateway-to-reject-downloads-greater-than-X/m-p/198967#M37263 _Val_ 2023-11-27T09:16:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-configure-the-gateway-to-reject-downloads-greater-than-X/m-p/199060#M37291 <P>Hello,</P><P>We discovered that checkpoint is compatible with some file extensions.</P><P>We were testing on a website that downloads files with the .dat extension. This extension is not compatible, so it did not match the rule.</P><P>Reference follows:</P><P><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_DataLossPrevention_AdminGuide/Topics-DLPG/Defining-New-File-Types.htm" target="_blank">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_DataLossPrevention_AdminGuide/Topics-DLPG/Defining-New-File-Types.htm</A></P><P>For our configuration to work, we use content awareness and https inspection.</P> Mon, 27 Nov 2023 19:32:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-configure-the-gateway-to-reject-downloads-greater-than-X/m-p/199060#M37291 Marquevis 2023-11-27T19:32:36Z