Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matt_Parfitt
Participant

Content Awareness R80.10 - Blocked request

Content Awareness in R80.10 - A user is trying to download some packages from a program called Unity and some are failing to download. After looking through the logs I repeatedly see a log that is blocking and the reason is 'Blocking request as configured in engine settings of Content Awareness. 

Reason 1 - Content Awareness - Error while processing 'Big long string of characters: Failed to extract text. 

Reason 2 - Content Awareness - Error while processing 'Big long string of characters: Archive decompression ratio is suspiciously high.

My question is, where do I edit the Threat Prevention/Access Policy in order to allow this program to download all of it's packages? 

Thanks

0 Kudos
11 Replies
Kyle_Danielson
Employee
Employee

This traffic is being dropped because the Content Awareness engine is running into an error and you currently have the Fail Mode set to 'Fail Close'.

If you need this traffic to go through, you can switch the Fail Mode to 'Fail-Open.'

Matt_Parfitt
Participant

Hi Kyle,

Surely that is not a secure option to turn it to fail-open? 

Is that the only way of getting around this?

Thanks

0 Kudos
Kyle_Danielson
Employee
Employee

I can definitely understand the caution about the security impact. Smiley Happy

If you want to stay in Fail-Close, there is an option to change the Content Awareness settings to avoid these errors. You can see this documented in SK11851.

Take note that changing these is not recommended unless you need to.

Matt_Parfitt
Participant

Thanks Kyle, I've put SK11851 into Google and CheckPoint site and nothing comes up? Please could you link me Smiley Happy

0 Kudos
Kyle_Danielson
Employee
Employee

Looks like I missed a digit -- sk118516.

0 Kudos
Matt_Parfitt
Participant

thank you!

0 Kudos
Matt_Parfitt
Participant

So my current value for # fw ctl set int fileapp_max_upload_file_size is 0, surely that can't be right if the default value is 10mb?

If I want to set this as 200mb for example, would I just enter # fw ctl set int fileapp_max_upload_file_size <200> ?

 

0 Kudos
Matt_Parfitt
Participant

I'm going back and forth to our vendor, then to CheckPoint support and then back. I'm debating whether to turn on fail-open as this is just using up too much of my time and stopping a lot of users from uploading & downloading files. It seems there's some sort of limit at 200mb, although when running fw ctl get int fileapp_max_upload_file_size it  = 0.

When in fail-open, if the gateway is unable to extract text does it still get analysed by all the other blades for malicious content?

0 Kudos
s-quintanilla
Explorer

Hello @Kyle_Danielson, thanks for your help and brief explanation, I just made this change and looks like it's working, but can you explain what are the differences between fail-open and fail-close options? Does it mean if there is an error with the content awareness system, it will "bypass" traffic and won't inspect it through content awareness?

0 Kudos
bmartins-EMCDDA
Participant

I am having a similar issue, but in this case, our mode is set to fail-open.

contAwareness1.png
 
Any advice?
0 Kudos
PhoneBoy
Admin
Admin

That's a different problem that has a solution: https://support.checkpoint.com/results/sk/sk167173 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events