Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Content Awareness does not match to rule

Hello,

We have two web site: https://habr.com and  https://habrastorage.org .

 habr.com use images from https://habrastorage.org/ .

https://habrastorage.org/ include in URLs Categories : File Storage  and Sharing .

 

We need to  block  URLs Categories : File Storage  and Sharing, but  images on habr.com   need to be work.

We create two rules 

 

1.

image.png

 

2.

image.png

but it isn't work... 

for example image:  https://habrastorage.org/getpro/habr/post_images/b09/090/87b/b0909087b281cd74df8fc2de8735758b.png

not match on firts rule. it match on the second rule.

 

0 Kudos
14 Replies
Highlighted
Pearl

Please verify that habr.com has "File Storage and Sharing" category associated with it.

You can create a custom app with its domain name and assign all necessary categories.

Alternatively, you can assign whatever category you want to the custom app for this domain, but use it in the top rule "Services and Application" column.

0 Kudos
Highlighted

habr.com has is not associate "File Storage and Sharing".
habr.com use image from https://habrastorage.org/ only.
https://habrastorage.org/ is associate "File Storage and Sharing"


0 Kudos
Highlighted
Pearl

Can you create and test a new rule by downloading .png files from elsewhere?

I'd like to see if it is a problem related to the content recognition.

Another good test would be to change the extension (for instance .docx to .png and try to download that file.

0 Kudos
Highlighted

We tryed. It's not worked. If on inline policy have block rule on Categories, content awarnes not work on previevs rule.
0 Kudos
Highlighted

As a test in your first rule in the Content field, set for "Any Direction, Any File" (not just "Any").  Do the PNG images now match the first rule?  Just trying to see if Content Awareness is detecting things correctly at all in your situation...

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos
Highlighted

image.png

not match.

Also match on second rule.

in habr i see:

image.png

habrastarage.org is block:

image.png

 

 

 

0 Kudos
Highlighted

Why did you change the destination from "Any" to "Internet" in your second rule?  Is your firewall topology configured completely and correctly so that object "Internet" is calculated properly?

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos
Highlighted

Do you have HTTPS Inspection enabled?  My guess is no.  The second rule works because the application can be detected based on the site name without full HTTPS Inspection.  The first rule doesn't work because Content Awareness cannot see the prohibited content you are trying to match inside the encrypted HTTPS connection unless HTTP Inspection is enabled.

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos
Pearl

@Timothy_Hall , you got to be right about HTTPS. After re-reading the original post, I see that the category does match on a second rule and not just dropping on cleanup. That's pretty convincing.

0 Kudos
Highlighted

Https inspection is enable.
0 Kudos
Highlighted

Https inspection is enable, and work good.
We also enable kernel parameter "fw ctl set int fileapp_parse_html 1" . (sk114640)
0 Kudos
Highlighted
Pearl

Any chance you are downloading the files using QUIC?

 

Highlighted

 QUIC is bloked.

0 Kudos
Highlighted
Admin
Admin

The actual log messages (accept and drop) would be helpful here.
Not to mention elaborating on exact version/JHF level.
0 Kudos