topic Re: Content awareness and blocking .bat files issue in Firewall and Security Management

Content awareness and blocking .bat files issue

Antonis_Hassiot — Wed, 27 Nov 2024 14:18:36 GMT

Trying to block download of specific file types using Content Awareness.

I have two rules in Content Awareness for this:

One that blocks downloads based on filename:

.*\.dmg$|.*\.rpm$|.*\.bat$

Another that blocks executables and archives:

Although I see that different file extensions are getting blocked, I can't see any .bat files getting blocked.

When I test using https://mytool.dev/code-editor/bat

I can always Download the .bat file.

I don't see anything in the SmartConsole logs.

I see that the site is getting HTTPS inspected.

Version is 81.20 Take 89

I have TLS1.3 inspection enabled and changed HI to Hold mode. The issue is still there.

I don't know how to go about troubleshooting this.

Re: Content awareness and blocking .bat files issue

PhoneBoy — Wed, 27 Nov 2024 16:10:15 GMT

This SK has debugging steps: https://support.checkpoint.com/results/sk/sk119715
I suspect you'll need to engage the TAC at some point here as well.

Re: Content awareness and blocking .bat files issue

Antonis_Hassiot — Sat, 30 Nov 2024 08:25:30 GMT

I ran the HTTP Process debug with a source IP filter at a low traffic period and the gateway (6400) seemed to have a hard time loading all internet sites , even though I used a source IP filter, so I stopped it:

fw ctl set int simple_debug_filter_off 1

fw ctl set str simple_debug_filter_saddr_1 "10.1.142.9"

fw ctl debug 0
fw ctl debug -buf 32000
fw ctl debug -m fw + advp cmi conn drop cptls log vm
fw ctl debug -m cmi_loader all
fw ctl debug -m WS + spii info session pkt_dump global policy module ssl_insp body connection
fw ctl debug -m cpcode + echo policy ioctl run persist init vm cplog csv io url kisspm
fw ctl debug -m UP all
fw ctl debug -m FILEAPP all
fw ctl debug -m dlpda all
fw ctl set int cmi_dump_buffer 1
fw ctl kdebug -T -f > /var/log/kernel_debug_output.txt

Also, in this doc:

https://support.checkpoint.com/results/sk/sk114640

it mentions at the bottom that:

Content Awareness does not scan HTML files (for type and content) which are downloaded using the HTTP "GET" method over HTTP because it could have a high adverse affect on the Security Gateway performance.

Not sure how to check on the above for the particular site.

Re: Content awareness and blocking .bat files issue

the_rock — Sat, 30 Nov 2024 14:05:33 GMT

See if below helps. I had a case with a customer about 2 years ago for content awareness issue and it ended up with escalation engineer and he was superb, explained everything to us in a way that made total sense and was really easy to understand. So, to make a long story short, client had ssl inspection enabled, but it was just the way certain rules and features had to be "jumbled around" to make this work.

I pasted what engineer told us about it, but if its not clear, let me know.

Andy

***********************************

As discussed we would require HTTPS inspection enabled for the https connections where we want to enforce content awareness. If we are not inspecting such https connections their is no way for the firewall to understand what content is been requested since the data would be encrypted.

Inspection allows the firewall to go inside the packet and view the unencrypted data thereby classifying the file type, file name etc which is downloaded/uploaded. More on content awareness, after these attributes are identified the usermode processes verify if such content is allowed or blocked. The decision/verdict is provided to the rule base execution engine and the final enforcement block/accept is enforced accordingly.

******************************************************

Re: Content awareness and blocking .bat files issue

Antonis_Hassiot — Sun, 01 Dec 2024 07:30:33 GMT

Hi Andy,

As mentioned in original post, I see that the website in question is https inspected since I see the Checkpoint cert when checking the certificate on the website.

Still wondering whether there is something about the way the file gets downloaded from https://mytool.dev/code-editor/bat

and if it relates to the comment in the SK:

Not sure how to check on the above for the particular site.

Re: Content awareness and blocking .bat files issue

the_rock — Sun, 01 Dec 2024 13:59:48 GMT

Do you see anything about it in the logs?

Andy

Re: Content awareness and blocking .bat files issue

Antonis_Hassiot — Mon, 02 Dec 2024 06:49:48 GMT

Hi Andy,

I have mentioned in the original post that I don't see anything in the logs when I press the download button.

Do you have any idea about the comment in the SK:

I wonder if this download falls under this category of download, but not sure how to check.

Re: Content awareness and blocking .bat files issue

Lesley — Mon, 02 Dec 2024 09:45:38 GMT

Maybe the test url is just not a good test? Is there some other way you can attempt to download a bat? Also: dmg$|.*\.rpm$|.*\.bat$

all these have issues or only bat? Has the other ones been tested?

Re: Content awareness and blocking .bat files issue

Antonis_Hassiot — Mon, 02 Dec 2024 10:28:08 GMT

Not sure if this is something with the particular site, but this is the site we use to test.

Looking at logs, I see that just today there was a .bat file blocked, see below, but still I need to understand why it doesn't block from https://mytool.dev/code-editor/bat.

Re: Content awareness and blocking .bat files issue

the_rock — Mon, 02 Dec 2024 12:38:40 GMT

I will test this in the lab. Here is what I gathered from working with escalation guy (he was great btw) 2 years ago when customer had content awareness issue.

He said that key is to NOT have specific updatable objects bypassed in https inspection, but rather allow in ordered url / app control layer. If they are bypassed in https inspection, then it will never hit last ordered layer, in our case content awareness, since https traffic would have already been processed.

Andy

Re: Content awareness and blocking .bat files issue

Antonis_Hassiot — Mon, 02 Dec 2024 12:49:36 GMT

It would help if someone can test in lab.

Since I see the certificate that the gateway introduces during HTTPs inspection on the website Security, I am pretty certain that HI is not getting bypassed. The download button seems to be producing a link like this:

blob:https://mytool.dev/1d50c3e8-a157-4e3f-90fa-cdbd241920f9

When I replay this link I get a 404 error, which means it's a one off link. And again, I see the inspection certificate shown in the browser.

Re: Content awareness and blocking .bat files issue

the_rock — Mon, 02 Dec 2024 13:21:22 GMT

Im on it brother 🙂

Will update you later when I have some more info.

Andy

Re: Content awareness and blocking .bat files issue

the_rock — Mon, 02 Dec 2024 13:39:38 GMT

Just tested and even applied same thing esc. engineer asked us back in 2022 and no luck. I have to say, as much as I love the idea of using this blade, Im not impressed with it at all. Its so convoluted to actually make it work and does not seem its much better even in R81.20.

Maybe R82 will bring some changes to it, not sure. I think opening TAC case would be your best bet.

Andy

Re: Content awareness and blocking .bat files issue

Antonis_Hassiot — Mon, 02 Dec 2024 13:48:20 GMT

ok thanks will open a case

Re: Content awareness and blocking .bat files issue

the_rock — Mon, 02 Dec 2024 13:49:55 GMT

Please keep us posted how it gets solved.

Andy

Re: Content awareness and blocking .bat files issue

Lesley — Mon, 02 Dec 2024 13:55:05 GMT

I think it is time to open TAC case to confirm why this website is not blocked.

Re: Content awareness and blocking .bat files issue

the_rock — Mon, 02 Dec 2024 19:11:31 GMT

Quick update. Created same rule like one you have, BUT, instead of services any, used http and https, it works intermittently...really annoying.

Andy

Re: Content awareness and blocking .bat files issue

PhoneBoy — Mon, 02 Dec 2024 23:20:21 GMT

I assume you'd need to use Chrome Development Tools to see how this is operating or some sort of extension.
Looking at the page, I suspect Javascript is involved here.

Access Policy rules that allow access to this site should be logged as Extended.
This will ensure that every URL accessed is logged and I believe it also logs the HTTP action (e.g. GET).

Re: Content awareness and blocking .bat files issue

Antonis_Hassiot — Tue, 03 Dec 2024 05:26:50 GMT

Tried that now, I never get any hits on the policy for the specific site.

Re: Content awareness and blocking .bat files issue

Antonis_Hassiot — Tue, 03 Dec 2024 05:26:19 GMT

The problem is I don't get any hits in the specific policy. The gateway doesn't 'see' the file download.