cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Content Awareness R80.10 - Blocked request

Content Awareness in R80.10 - A user is trying to download some packages from a program called Unity and some are failing to download. After looking through the logs I repeatedly see a log that is blocking and the reason is 'Blocking request as configured in engine settings of Content Awareness. 

Reason 1 - Content Awareness - Error while processing 'Big long string of characters: Failed to extract text. 

Reason 2 - Content Awareness - Error while processing 'Big long string of characters: Archive decompression ratio is suspiciously high.

My question is, where do I edit the Threat Prevention/Access Policy in order to allow this program to download all of it's packages? 

Thanks

0 Kudos
8 Replies
Employee+
Employee+

Re: Content Awareness R80.10 - Blocked request

This traffic is being dropped because the Content Awareness engine is running into an error and you currently have the Fail Mode set to 'Fail Close'.

If you need this traffic to go through, you can switch the Fail Mode to 'Fail-Open.'

Re: Content Awareness R80.10 - Blocked request

Hi Kyle,

Surely that is not a secure option to turn it to fail-open? 

Is that the only way of getting around this?

Thanks

0 Kudos
Employee+
Employee+

Re: Content Awareness R80.10 - Blocked request

I can definitely understand the caution about the security impact. Smiley Happy

If you want to stay in Fail-Close, there is an option to change the Content Awareness settings to avoid these errors. You can see this documented in SK11851.

Take note that changing these is not recommended unless you need to.

Re: Content Awareness R80.10 - Blocked request

Thanks Kyle, I've put SK11851 into Google and CheckPoint site and nothing comes up? Please could you link me Smiley Happy

0 Kudos
Employee+
Employee+

Re: Content Awareness R80.10 - Blocked request

Looks like I missed a digit -- sk118516.

0 Kudos

Re: Content Awareness R80.10 - Blocked request

thank you!

0 Kudos

Re: Content Awareness R80.10 - Blocked request

So my current value for # fw ctl set int fileapp_max_upload_file_size is 0, surely that can't be right if the default value is 10mb?

If I want to set this as 200mb for example, would I just enter # fw ctl set int fileapp_max_upload_file_size <200> ?

 

0 Kudos

Re: Content Awareness R80.10 - Blocked request

I'm going back and forth to our vendor, then to CheckPoint support and then back. I'm debating whether to turn on fail-open as this is just using up too much of my time and stopping a lot of users from uploading & downloading files. It seems there's some sort of limit at 200mb, although when running fw ctl get int fileapp_max_upload_file_size it  = 0.

When in fail-open, if the gateway is unable to extract text does it still get analysed by all the other blades for malicious content?

0 Kudos