Solved: Re: Block WahtsApp Uploads/Downloads

sebasnqn · ‎2022-03-16

Hello All,

First post over here; I'm struggling with blocking WhatsApp files/images/audios from been downloaded through the web app.

I've tested a lot of options using the checkpoint defined Category WhatsApp File Transfer, but time to time, randomly files are going through and I just cant find why.

Sometimes it works and sometimes it doesn't and this is not acceptable for the managing.

This is what we have, a cluster HA; current active FW have this info:

R80.40 Jumbo Hotfix Accumulator General Availability (Take 125) Installed as part of
Check_Point_R80_40_JUMBO_HF_Bundle_T139_sk165456_FULL.tgz Installed

FW is working as non transparent proxy; HTTPS inspection is enabled, there is a rule created to allow WhatsApp through AD group and before that, a rule to drop all media WhatsApp related traffic that is not working as it should.

Inspection is set on ByPass on web.whatsapp.com as regular expression (yes, I know that use a lot of processing)

.*\.web\.whatsapp\.com and .net

I can't inspect it because if I do it, the QR code of the app never loads; not sure why.

This is the rule

In the logs are several matches but even having that, some files find the way to reach destination and the users are able to download them.

So the idea is block the upload/download to/from the web app; allowing the chat. I'm aware of the End-to-End encryption and think that probably that's the why behind the scene, but wanted to ask the community if someone had or have this issue so we can see a way to solve it.

A normal day at the office using the rule above, looks like this on the app, the file tries to load and then fails (this is an upload that I sen't from my phone to a test group).

But!; sometimes, if for example the user close the session and then login again; and of course the End-to-End code changes; some files go through and the user is able to download them.

I can keep downloading the files; but; if the user refresh the page and try to send something from the app; it blocks the uploads from the pc but no such things as downloads. A detail here, is that if I don't refresh the page, I can still downloads files from other chats as well.

I've try using Content blade dropping on any direction for whatsapp, but as the inspection doesn't allow me to login on the app (due to QRnever loads); it seems useless at this point.

This is the QR code that never loads if I run inspection on the app.

Also I've discovered that if the authentication on the proxy ends, the user can still use WhatsApp and files go through, so I might need to make some script to end all WhatsApp connections at the end of the day (not sure how to do it though).

Any ideas? I just want to block uploads/downloads to/from the web app; the web page is: https://web.whatsapp.com (in the cert appears as web.whatsapp.net)

The rule seems to be applied correctly on the logs.

Thank you very much all.

sebasnqn · ‎2022-10-13

Hello!!

For anyone having same issue, this is the solution:

First, make inspection rules for whatsapp domain.

Aftert that, create rule on FW to block File Transfer and one more to allow the rest (ie, chat only). I've a domain group to put people that can use the app.

After install, the files should be blocked.

Hope this helps someone facing the same!

View solution in original post

G_W_Albrecht · ‎2022-03-17

Better block WhatsApp completely !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

sebasnqn · ‎2022-03-17

Hello Sir, thanks for replying.

If it was for me, we definitely have it done....Management though, completely different situation.

Chris_Atkinson · ‎2022-03-17

You've already identified a number of possible reasons here that could contribute to the lack of granularity in control/visibility.

Starting with the QR code issue what are the log entries you see / saw when this failed, were any debugs performed - did they indicate certificate pinning?

CCSM R77/R80/ELITE

sebasnqn · ‎2022-03-17

Hello Chris, thanks for replying.

I set a rule to inspect all the traffic and as expected the QR never loads; below is the rule and log.

Also check if there was any drops related and there is nothing (I refresh the page several times).

Dave · ‎2022-04-06

Hello,

I more or less have the issue as you.

We need to allow WhatsApp web for some specific users since this is part of being able to properly carry out their they day to day job, but also here, the QR never loads.

I even configured HTTPS inspection rule to bypass for *.whatsapp.com and *.whatsapp.net.

I can clearly see this URL's being bypassed but the issue persists.

What could be going wrong?

the_rock · ‎2022-04-06

I had similar case last year and went to escalations and R&D and no one could figure it out, so customer simply gave up on it after it took so long...personally, I have no clue why it kept failing.I still believe there is certain kernel parameter causing this, but TAC insisted that was not the case.

sebasnqn · ‎2022-04-06

Yeah, I think is related with categories now; CP is not categorizing correctly for URL filtering.

the_rock · ‎2022-04-06

You got 100% right.

sebasnqn · ‎2022-04-06

Hi Dave,

The main problem is the order of the rules; if you move the category "WhatsApp File transfer" below the one that allows WhatsApp; it will work; but the files will not be dropped. The ByPass should work with:

.*\.web\.whatsapp\.net.*

.*\.web\.whatsapp\.com.*

Also you can ByPass by IP as destination.

the_rock · ‎2022-04-06

I will give you one suggestion I found to work the best for https inspection or in general...say if you wish to whitelist anything whatsapp for specific group of users, just do *whatsapp* and dont add any TLD, like .net or .com

Andy

sebasnqn · ‎2022-10-13