topic Re: Content Awareness R80.10 - Blocked request in Firewall and Security Management

Content Awareness R80.10 - Blocked request

Matt_Parfitt — Thu, 29 Mar 2018 08:36:36 GMT

Content Awareness in R80.10 - A user is trying to download some packages from a program called Unity and some are failing to download. After looking through the logs I repeatedly see a log that is blocking and the reason is 'Blocking request as configured in engine settings of Content Awareness.

Reason 1 - Content Awareness - Error while processing 'Big long string of characters: Failed to extract text.

Reason 2 - Content Awareness - Error while processing 'Big long string of characters: Archive decompression ratio is suspiciously high.

My question is, where do I edit the Threat Prevention/Access Policy in order to allow this program to download all of it's packages?

Thanks

Re: Content Awareness R80.10 - Blocked request

Kyle_Danielson — Thu, 29 Mar 2018 16:41:26 GMT

This traffic is being dropped because the Content Awareness engine is running into an error and you currently have the Fail Mode set to 'Fail Close'.

If you need this traffic to go through, you can switch the Fail Mode to 'Fail-Open.'

Re: Content Awareness R80.10 - Blocked request

Matt_Parfitt — Thu, 29 Mar 2018 16:44:25 GMT

Hi Kyle,

Surely that is not a secure option to turn it to fail-open?

Is that the only way of getting around this?

Thanks

Re: Content Awareness R80.10 - Blocked request

Kyle_Danielson — Thu, 29 Mar 2018 17:03:08 GMT

I can definitely understand the caution about the security impact.

If you want to stay in Fail-Close, there is an option to change the Content Awareness settings to avoid these errors. You can see this documented in SK11851.

Take note that changing these is not recommended unless you need to.

Re: Content Awareness R80.10 - Blocked request

Matt_Parfitt — Tue, 03 Apr 2018 08:35:07 GMT

Thanks Kyle, I've put SK11851 into Google and CheckPoint site and nothing comes up? Please could you link me

Re: Content Awareness R80.10 - Blocked request

Kyle_Danielson — Tue, 03 Apr 2018 13:27:03 GMT

Looks like I missed a digit -- sk118516.

Re: Content Awareness R80.10 - Blocked request

Matt_Parfitt — Tue, 03 Apr 2018 13:46:01 GMT

thank you!

Re: Content Awareness R80.10 - Blocked request

Matt_Parfitt — Tue, 10 Apr 2018 16:31:51 GMT

So my current value for # fw ctl set int fileapp_max_upload_file_size is 0, surely that can't be right if the default value is 10mb?

If I want to set this as 200mb for example, would I just enter # fw ctl set int fileapp_max_upload_file_size <200> ?

Re: Content Awareness R80.10 - Blocked request

Matt_Parfitt — Wed, 18 Apr 2018 15:30:51 GMT

I'm going back and forth to our vendor, then to CheckPoint support and then back. I'm debating whether to turn on fail-open as this is just using up too much of my time and stopping a lot of users from uploading & downloading files. It seems there's some sort of limit at 200mb, although when running fw ctl get int fileapp_max_upload_file_size it = 0.

When in fail-open, if the gateway is unable to extract text does it still get analysed by all the other blades for malicious content?

Re: Content Awareness R80.10 - Blocked request

s-quintanilla — Fri, 26 Feb 2021 14:00:56 GMT

Hello @Kyle_Danielson, thanks for your help and brief explanation, I just made this change and looks like it's working, but can you explain what are the differences between fail-open and fail-close options? Does it mean if there is an error with the content awareness system, it will "bypass" traffic and won't inspect it through content awareness?

Re: Content Awareness R80.10 - Blocked request

bmartins-EUDA — Fri, 17 Nov 2023 09:43:47 GMT

I am having a similar issue, but in this case, our mode is set to fail-open.

Any advice?

Re: Content Awareness R80.10 - Blocked request

PhoneBoy — Mon, 20 Nov 2023 22:23:55 GMT

That's a different problem that has a solution: https://support.checkpoint.com/results/sk/sk167173