Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
sebasnqn
Participant

Block WhatsApp Uploads/Downloads

Hello All,

 

      First post over here; I'm struggling with blocking WhatsApp files/images/audios from been downloaded through the web app.

I've tested a lot of options using the checkpoint defined Category WhatsApp File Transfer, but time to time, randomly files are going through and I just cant find why.

Sometimes it works and sometimes it doesn't and this is not acceptable for the managing.

This is what we have, a cluster HA; current active FW have this info:

R80.40 Jumbo Hotfix Accumulator General Availability (Take 125) Installed as part of
Check_Point_R80_40_JUMBO_HF_Bundle_T139_sk165456_FULL.tgz Installed

FW is working as non transparent proxy; HTTPS inspection is enabled, there is a rule created to allow WhatsApp through AD group and before that, a rule to drop all media WhatsApp related traffic that is not working as it should. 

Inspection is set on ByPass on web.whatsapp.com  as regular expression (yes, I know that use a lot of processing) 

      .*\.web\.whatsapp\.com and .net

I can't inspect it because if I do it, the QR code of the app never loads; not sure why.

This is the rule

2022-03-16 15_32_56-Window.jpg

 

In the logs are several matches but even having that, some files find the way to reach destination and the users are able to download them.

So the idea is block the upload/download to/from the web app; allowing the chat. I'm aware of the End-to-End encryption and think that probably that's the why behind the scene, but wanted to ask the community if someone had or have this issue so we can see a way to solve it.

A normal day at the office using the rule above, looks like this on the app, the file tries to load and then fails (this is an upload that I sen't from my phone to a test group).

2022-03-16 19_26_06-Window.jpg

 

But!; sometimes, if for example the user close the session and then login again; and of course the End-to-End code changes; some files go through and the user is able to download them.

 

2022-03-16 19_35_19-Window.jpg

I can keep downloading the files; but; if the user refresh the page and try to send something from the app; it blocks the uploads from the pc but no such things as downloads. A detail here, is that if I don't refresh the page, I can still downloads files from other chats as well. 

2022-03-16 19_44_21-Window.jpg

 

I've try using Content blade dropping on any direction for whatsapp, but as the inspection doesn't allow me to login on the app (due to QRnever loads); it seems useless at this point.

This is the QR code that never loads if I run inspection on the app.

2022-03-16 19_33_44-Window.jpg

Also I've discovered that if the authentication on the proxy ends, the user can still  use WhatsApp and files go through, so I might need to make some script to end all WhatsApp connections at the end of the day (not sure how to do it though).

Any ideas? I just want to block uploads/downloads to/from the web app; the web page is: https://web.whatsapp.com (in the cert appears as web.whatsapp.net) 

 

 

The rule seems to be applied correctly on the logs.

2022-03-16 20_06_06-Window.jpg

 

Thank you very much all.

0 Kudos
10 Replies
G_W_Albrecht
Legend
Legend

Better block WhatsApp completely !

CCSE CCTE SMB Specialist
0 Kudos
sebasnqn
Participant

Hello Sir, thanks for replying.


If it was for me, we definitely have it done....Management though, completely different situation.

Chris_Atkinson
Employee
Employee

You've already identified a number of possible reasons here that could contribute to the lack of granularity in control/visibility.

Starting with the QR code issue what are the log entries you see / saw when this failed, were any debugs performed - did they indicate certificate pinning? 

0 Kudos
sebasnqn
Participant

Hello Chris, thanks for replying.

           I set a rule to inspect all the traffic and as expected  the QR never loads; below is the rule and log.

 

2022-03-17 10_46_50-Window.jpg

 

2022-03-17 10_46_26-Window.jpg

 

2022-03-17 10_45_45-Window.jpg

 

Also check if there was any drops related and there is nothing (I refresh the page several times).

2022-03-17 11_01_26-Window.jpg

 

 

 

 

0 Kudos
Dave
Participant

Hello,

I more or less have the issue as you.

We need to allow WhatsApp web for some specific users since this is part of being able to properly carry out their they day to day job, but also here, the QR never loads.

I even configured HTTPS inspection rule to bypass for *.whatsapp.com and *.whatsapp.net.

I can clearly see this URL's being bypassed but the issue persists.

What could be going wrong?

the_rock
Champion
Champion

I had similar case last year and went to escalations and R&D and no one could figure it out, so customer simply gave up on it after it took so long...personally, I have no clue why it kept failing.I still believe there is certain kernel parameter causing this, but TAC insisted that was not the case.

0 Kudos
sebasnqn
Participant

Yeah, I think is related with categories now; CP is not categorizing correctly for URL filtering.

0 Kudos
the_rock
Champion
Champion

You got 100% right.

0 Kudos
sebasnqn
Participant

Hi Dave,

   The main problem is the order of the rules; if you move the category "WhatsApp File transfer" below the one that allows WhatsApp; it will work; but the files will not be dropped. The ByPass should work with:

.*\.web\.whatsapp\.net.*

.*\.web\.whatsapp\.com.*

Also you can ByPass by IP as destination.

the_rock
Champion
Champion

I will give you one suggestion I found to work the best for https inspection or in general...say if you wish to whitelist anything whatsapp for specific group of users, just do *whatsapp* and dont add any TLD, like .net or .com

Andy

0 Kudos