Solved: Blocking for specific file types in Check Point Fi...

JPR · ‎2023-03-14

Hi there,

I wish to block for a range of specific file extensions in a Check Point Firewall. The way I have done it now is by making individual "File Attribues" (sub category to "Data Types") and then in the field "The file name contains" under "File Properties" the actual file extension, e.g. ".com" (without the quotes).

However, this doesn't seem to be a bullet proof solution because the field interprets it as RegEx. So if a file name is named something with "com" in it it will block for the file even it is a allowed file type.

So my question is two fold:

1. I can define the field "The file name contains" in RegEx as "^.*\.(com)$", which seems to work, however, is that something that will effect perfomance on the firewall? We have araound 30 specific file types we want to block. I've made a "Data Type Group" with all the individual made "File Attributes" and then a rule that drops traffic if "Content" matches any of them.

2. Is there a smarter to accomplish this? I.e. blocking for specific file types.

I hope it makes sense and you are able to help.

Thanks

Marcel_Gramalla · ‎2023-03-14

We use the following syntax and also use multiple DataTypes in a group:

(?i).*\.(exe|msi|cmd|bat)$

No noticable performance impact and it should only match a file extension and is also case insensitive (.eXe will also be blocked). In total we block around 20-30 different file types and also apply different rule to specific users (e.g. Developers).

View solution in original post

G_W_Albrecht · ‎2023-03-14

RegEx can effect the performance rather much when frequently used. I do not use Content Awareness but the file types in TP policy - in AntiVirus, i can select Block. Inspect or Bypass for every file type, scope and protocol:

So if you have NGTP services, this will be very easy.

CCSE CCTE CCSM SMB Specialist

JPR · ‎2023-03-15

Hi, and thanks for the input,

We don't use the Antivirus, but will start using it soon. I am blocking file types via the Content Blade (sorry, I probably should have been more specific on that). I will have a look into whether it suits the purpose. however, will it scan all files when a user browses? Or does the antivirus only work when a user specifically downloads files?

Hope it makes sense.

G_W_Albrecht · ‎2023-03-20

As seen on the left of the screenshot, you can select the following:

- Scope: incoming (by interface) or incoming & outgoing

- Protocol: http(s) FTP SMB SMTP

CCSE CCTE CCSM SMB Specialist

the_rock · ‎2023-03-14

I use content awareness blade for that, little tricky to make it work, but does the job.

JPR · ‎2023-03-15

Yeah, we're also using Content Awareness. The only issue is whether having 30-ish individual File Attributes using RegEx will affect the overall performance. Do you use RegEx to define file types?

PhoneBoy · ‎2023-03-14

Version/JHF level?
Are you doing this with DLP or are you doing this with Content Awareness?

JPR · ‎2023-03-15

Hi,

Version R81 and Take 81.

We are doing these via Content Awareness, and not DLP.

Timothy_Hall · ‎2023-03-14

Content Awareness is the right tool for this job, but in any rule invoking content objects be very sure that it is only being applied to traffic to and from the Internet, and not trying to inspect high-speed traffic between internal networks or between internal networks and DMZs. Some of Content Awareness happens in user space daemons which can definitely impact performance.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

JPR · ‎2023-03-16

Thanks for your reply.

Good point about only applying it on traffic from the Internet.

Is trying it out with some RegEx like Marcel_Gramalla has suggested below.

the_rock · ‎2023-03-14

To also add to what @Timothy_Hall mentioned, which are all valid points, I will give you something to think about, so you are not shocked :-).With content awareness, you need to have https inspection enabled, otherwise, it will never work. Now, once thats configured, you will NEVER get blocked page when file is blocked, simply does not work. Also, something to consider is that as Tim said, do NOT put any in those rules, but ensure Internet is set as destination. Last, but not least, MAKE SURE that if content awareness is enabled, if whatever you are bypassing in https inspection policy, dont expect it to work correctly with content awareness layer, as that traffic has to be inspected.

Just some pointers from my experience working on this with a customer and having case on it with TAC escalations for more than a month.

Marcel_Gramalla · ‎2023-03-14

The point about block pages is wrong. This works with Content Awareness and HTTPS Inspection (how would a block page work without inspection?). As long as you are in a browser this works very good. If working from CLI you could use the UserCheck client as well (we only have it installed for troubleshooting).

Maybe you mean something different?

the_rock · ‎2023-03-14

Its not wrong, TRUST ME, it does not work : - ). What I mean is this...so the way you get user check block page for https inspection is fine, but same fails if file is blocked via content awareness, just gives network error notification at the very bottom. Even esc. guy told us that never worked properly and they have no idea why. He even said they raised task with R&D about it, but it never got fixed.

You can also refer to below post by Vladimir:

https://community.checkpoint.com/t5/Management/Content-Awareness-things-that-do-not-work/m-p/139442#...

Marcel_Gramalla · ‎2023-03-14

Interesting. I know this problem with "network error" but this only happens on a few sites that load something in the background or do other weird stuff. In the attachment you can see that it IS working on regular downloads 🙂

the_rock · ‎2023-03-14

Maybe exe file, but we did msi and it never worked. Would you mind send a screenshot of the rule?

Marcel_Gramalla · ‎2023-03-14

There you go. I initially thought about a different issue reading your message but I remember we had this issue where it would start the download and just fail at the end. We had this mainly with archives (that we inspect) and it had something to do with strict hold etc..

We use R81.10 and also increase file size limits for both Content Awareness and Anti-Virus (both with archive scanning enabled). We somehow ended with this state where block pages are working also for the most archives (and it blocks the .exe or .msi inside it).

The second screenshot shows the putty-0.78.tar.gz which gets blocked correctly as well (with a custom RegEx filetype).

the_rock · ‎2023-03-14

K, fair enough, maybe things changed since almost a year ago when we did this. User check page you have there, did you create custom one just for content awareness blade?

Marcel_Gramalla · ‎2023-03-14

Yes, we have different ones for URL Filtering, Content Awareness etc.

the_rock · ‎2023-03-14

I thought there was built in one for content awareness, but I guess not, cant see one.

Marcel_Gramalla · ‎2023-03-14

We use the following syntax and also use multiple DataTypes in a group:

(?i).*\.(exe|msi|cmd|bat)$

No noticable performance impact and it should only match a file extension and is also case insensitive (.eXe will also be blocked). In total we block around 20-30 different file types and also apply different rule to specific users (e.g. Developers).

JPR · ‎2023-03-16

Thanks for your reply.

I will be trying something similar and keep on eye on performance, though, so far, it doesn't seem to affect it negativaly.

Logically, it wouldn't really make sense if it did (compared to how I did before), since it already interpreted all the individual File Attributes objects I had made before as RegEx. In fact, that might even result in more negative performance.

Are you a member of CheckMates?

Blocking for specific file types in Check Point Firewall