Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hello All,
First post over here; I'm struggling with blocking WhatsApp files/images/audios from been downloaded through the web app.
I've tested a lot of options using the checkpoint defined Category WhatsApp File Transfer, but time to time, randomly files are going through and I just cant find why.
Sometimes it works and sometimes it doesn't and this is not acceptable for the managing.
This is what we have, a cluster HA; current active FW have this info:
R80.40 Jumbo Hotfix Accumulator General Availability (Take 125) Installed as part of
Check_Point_R80_40_JUMBO_HF_Bundle_T139_sk165456_FULL.tgz Installed
FW is working as non transparent proxy; HTTPS inspection is enabled, there is a rule created to allow WhatsApp through AD group and before that, a rule to drop all media WhatsApp related traffic that is not working as it should.
Inspection is set on ByPass on web.whatsapp.com as regular expression (yes, I know that use a lot of processing)
.*\.web\.whatsapp\.com and .net
I can't inspect it because if I do it, the QR code of the app never loads; not sure why.
This is the rule
In the logs are several matches but even having that, some files find the way to reach destination and the users are able to download them.
So the idea is block the upload/download to/from the web app; allowing the chat. I'm aware of the End-to-End encryption and think that probably that's the why behind the scene, but wanted to ask the community if someone had or have this issue so we can see a way to solve it.
A normal day at the office using the rule above, looks like this on the app, the file tries to load and then fails (this is an upload that I sen't from my phone to a test group).
But!; sometimes, if for example the user close the session and then login again; and of course the End-to-End code changes; some files go through and the user is able to download them.
I can keep downloading the files; but; if the user refresh the page and try to send something from the app; it blocks the uploads from the pc but no such things as downloads. A detail here, is that if I don't refresh the page, I can still downloads files from other chats as well.
I've try using Content blade dropping on any direction for whatsapp, but as the inspection doesn't allow me to login on the app (due to QRnever loads); it seems useless at this point.
This is the QR code that never loads if I run inspection on the app.
Also I've discovered that if the authentication on the proxy ends, the user can still use WhatsApp and files go through, so I might need to make some script to end all WhatsApp connections at the end of the day (not sure how to do it though).
Any ideas? I just want to block uploads/downloads to/from the web app; the web page is: https://web.whatsapp.com (in the cert appears as web.whatsapp.net)
The rule seems to be applied correctly on the logs.
Thank you very much all.
1 Solution
Accepted Solutions
Hello!!
For anyone having same issue, this is the solution:
First, make inspection rules for whatsapp domain.
Aftert that, create rule on FW to block File Transfer and one more to allow the rest (ie, chat only). I've a domain group to put people that can use the app.
After install, the files should be blocked.
Hope this helps someone facing the same!
Hello Chris, thanks for replying.
I set a rule to inspect all the traffic and as expected the QR never loads; below is the rule and log.
Also check if there was any drops related and there is nothing (I refresh the page several times).
Hello!!
For anyone having same issue, this is the solution:
First, make inspection rules for whatsapp domain.
Aftert that, create rule on FW to block File Transfer and one more to allow the rest (ie, chat only). I've a domain group to put people that can use the app.
After install, the files should be blocked.
Hope this helps someone facing the same!
