This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matt_Parfitt
Participant
‎2018-03-29 01:36 AM

Content Awareness R80.10 - Blocked request

Content Awareness in R80.10 - A user is trying to download some packages from a program called Unity and some are failing to download. After looking through the logs I repeatedly see a log that is blocking and the reason is 'Blocking request as configured in engine settings of Content Awareness. 

Reason 1 - Content Awareness - Error while processing 'Big long string of characters: Failed to extract text. 

Reason 2 - Content Awareness - Error while processing 'Big long string of characters: Archive decompression ratio is suspiciously high.

My question is, where do I edit the Threat Prevention/Access Policy in order to allow this program to download all of it's packages? 

Thanks

0 Kudos
11 Replies
Kyle_Danielson
Employee
Employee
‎2018-03-29 09:41 AM

This traffic is being dropped because the Content Awareness engine is running into an error and you currently have the Fail Mode set to 'Fail Close'.

If you need this traffic to go through, you can switch the Fail Mode to 'Fail-Open.'

Matt_Parfitt
Participant
‎2018-03-29 09:44 AM
In response to Kyle_Danielson

Hi Kyle,

Surely that is not a secure option to turn it to fail-open? 

Is that the only way of getting around this?

Thanks

Kyle_Danielson
Employee
Employee
‎2018-03-29 10:03 AM
In response to Matt_Parfitt

I can definitely understand the caution about the security impact. Smiley Happy

If you want to stay in Fail-Close, there is an option to change the Content Awareness settings to avoid these errors. You can see this documented in SK11851.

Take note that changing these is not recommended unless you need to.

Matt_Parfitt
Participant
‎2018-04-03 01:35 AM
In response to Kyle_Danielson

Thanks Kyle, I've put SK11851 into Google and CheckPoint site and nothing comes up? Please could you link me Smiley Happy

0 Kudos
Kyle_Danielson
Employee
Employee
‎2018-04-03 06:27 AM
In response to Matt_Parfitt

Looks like I missed a digit -- sk118516.

0 Kudos
Matt_Parfitt
Participant
‎2018-04-03 06:46 AM
In response to Kyle_Danielson

thank you!

0 Kudos
Matt_Parfitt
Participant
‎2018-04-10 09:31 AM
In response to Kyle_Danielson

So my current value for # fw ctl set int fileapp_max_upload_file_size is 0, surely that can't be right if the default value is 10mb?

If I want to set this as 200mb for example, would I just enter # fw ctl set int fileapp_max_upload_file_size <200> ?

 

0 Kudos
Matt_Parfitt
Participant
‎2018-04-18 08:30 AM
In response to Kyle_Danielson

I'm going back and forth to our vendor, then to CheckPoint support and then back. I'm debating whether to turn on fail-open as this is just using up too much of my time and stopping a lot of users from uploading & downloading files. It seems there's some sort of limit at 200mb, although when running fw ctl get int fileapp_max_upload_file_size it  = 0.

When in fail-open, if the gateway is unable to extract text does it still get analysed by all the other blades for malicious content?

0 Kudos
s-quintanilla
Explorer
‎2021-02-26 06:00 AM
In response to Kyle_Danielson

Hello @Kyle_Danielson, thanks for your help and brief explanation, I just made this change and looks like it's working, but can you explain what are the differences between fail-open and fail-close options? Does it mean if there is an error with the content awareness system, it will "bypass" traffic and won't inspect it through content awareness?

0 Kudos
bmartins-EUDA
Contributor
‎2023-11-17 01:43 AM
In response to Kyle_Danielson

I am having a similar issue, but in this case, our mode is set to fail-open.

contAwareness1.png
 
Any advice?
0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-20 02:23 PM
In response to bmartins-EUDA

That's a different problem that has a solution: https://support.checkpoint.com/results/sk/sk167173 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events