topic Re: Content Awareness, things that do not work in Firewall and Security Management

Content Awareness, things that do not work

Vladimir — Tue, 25 Jan 2022 16:30:01 GMT

With either Content Awareness or CA + Applications & URLF enabled, rule 9.1 below is ignored by non-HTTP/HTTPS/Proxies/SMTP/FTP traffic, such as CIFS. User is not aware of this rules’ non-compliance:
With Content Awareness and Applications & URLF enabled, in rule 10.3, ‘Ask’ UserCheck is not triggered, but the transfer of the file is blocked and the log reports ‘Redirect’:
I have no trouble pasting the list of SSNs into the Google Docs file completely ignoring 10.4 below:
The content is from dlptest.com that is routinely used to test the DLP systems was used to test Content Awareness.

The attempt to upload sample-data.csv was prevented and the Data Type correctly identified:

…but copy/paste of same file’s content in Google Docs was not.

My conclusions, at the moment, are:
1. Do not use Content Awareness in rules or layers without either explicit services (HTTP/HTTPS, proxies, SMTP, FTP) or applications in the parent rule
2. Do not use UserCheck with Content Awareness due to unreliability, (although User Guides are explicitly showing UserCheck in Content Awareness rules)
3. When Content Awareness is used, either limit it to file types, or use with the caveat that it is easily circumvented
If someone can point out any errors in my observations or conclusions, I’d be grateful.

Re: Content Awareness, things that do not work

Marcel_Gramalla — Tue, 25 Jan 2022 19:27:19 GMT

Regarding your second point - do you use the UserCheck Client or only the browser based variant? The redirect log normally says that the message cannot be displayed via browser but only in the UserCheck Client. Some predefined types can display the browser page just fine but most of them (and custom ones) seem to only display the error via the Client. I had a TAC case about that and that was basically the conclusion. The Client itself works perfectly on all systems but they also show up if something gets blocked in the background (auto-updaters for example) so the users may get distracted by this as well.

Re: Content Awareness, things that do not work

Vladimir — Tue, 25 Jan 2022 20:19:33 GMT

@Marcel_Gramalla I am referring specifically to the browser-based behavior. In all the years I've worked with Check Point, not once have I seen the UserCheck Client being deployed in the organizations strictly for Content Awareness. Check Point DLP is also not that widely implemented. I have considered including UserCheck Client stipulation in the statement, but have decided against it. From administrators point of view, when working on rules, it is not listed as prerequisite, creating false sense of the expected behavior vs. best-effort possibility.

Considering that there may be clients other than Windows, we are talking about Captive Portal and AD membership in order to ensure user interaction.

Re: Content Awareness, things that do not work

Marcel_Gramalla — Tue, 25 Jan 2022 20:30:46 GMT

Yeah, I was also disappointed about the fact that we would need the Client for such basic things but I also don't know how other manufacturers handle this situation. We are coming from a proxy solution which doesn't have the problem but it's a complete different story for this task. Also the archive scanner for Content Awareness and Anti-Virus isn't great and probably disabled by default because of that and we have different issues with it. And this seems to be a pretty old and bad(?) technique/code as TAC and R&D really struggle with this (case open for over 3months now)

I hope Check Point will build something new that works better for those usecases with less limitations (file size and file count limit just to name a few)

Re: Content Awareness, things that do not work

the_rock — Tue, 25 Jan 2022 20:33:50 GMT

Thats an excellent and VERY informative post, thanks for that @Vladimir