Re: Content Awareness does not match to rule

Fedor_Agafonov1 · ‎2019-06-21

Hello,

We have two web site: https://habr.com and https://habrastorage.org .

habr.com use images from https://habrastorage.org/ .

https://habrastorage.org/ include in URLs Categories : File Storage and Sharing .

We need to block URLs Categories : File Storage and Sharing, but images on habr.com need to be work.

We create two rules

1.

2.

but it isn't work...

for example image: https://habrastorage.org/getpro/habr/post_images/b09/090/87b/b0909087b281cd74df8fc2de8735758b.png

not match on firts rule. it match on the second rule.

Vladimir · ‎2019-06-21

Please verify that habr.com has "File Storage and Sharing" category associated with it.

You can create a custom app with its domain name and assign all necessary categories.

Alternatively, you can assign whatever category you want to the custom app for this domain, but use it in the top rule "Services and Application" column.

Fedor_Agafonov1 · ‎2019-06-22

habr.com has is not associate "File Storage and Sharing".
habr.com use image from https://habrastorage.org/ only.
https://habrastorage.org/ is associate "File Storage and Sharing"

Vladimir · ‎2019-06-22

Can you create and test a new rule by downloading .png files from elsewhere?

I'd like to see if it is a problem related to the content recognition.

Another good test would be to change the extension (for instance .docx to .png and try to download that file.

Fedor_Agafonov1 · ‎2019-06-22

We tryed. It's not worked. If on inline policy have block rule on Categories, content awarnes not work on previevs rule.

Timothy_Hall · ‎2019-06-22

As a test in your first rule in the Content field, set for "Any Direction, Any File" (not just "Any"). Do the PNG images now match the first rule? Just trying to see if Content Awareness is detecting things correctly at all in your situation...

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Fedor_Agafonov1 · ‎2019-06-22

not match.

Also match on second rule.

in habr i see:

habrastarage.org is block:

Timothy_Hall · ‎2019-06-22

Why did you change the destination from "Any" to "Internet" in your second rule? Is your firewall topology configured completely and correctly so that object "Internet" is calculated properly?

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Timothy_Hall · ‎2019-06-21

Do you have HTTPS Inspection enabled? My guess is no. The second rule works because the application can be detected based on the site name without full HTTPS Inspection. The first rule doesn't work because Content Awareness cannot see the prohibited content you are trying to match inside the encrypted HTTPS connection unless HTTP Inspection is enabled.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Vladimir · ‎2019-06-21

@Timothy_Hall , you got to be right about HTTPS. After re-reading the original post, I see that the category does match on a second rule and not just dropping on cleanup. That's pretty convincing.

Fedor_Agafonov1 · ‎2019-06-22

Https inspection is enable.

Fedor_Agafonov1 · ‎2019-06-22

Https inspection is enable, and work good.
We also enable kernel parameter "fw ctl set int fileapp_parse_html 1" . (sk114640)

Vladimir · ‎2019-06-23

Any chance you are downloading the files using QUIC?

Fedor_Agafonov1 · ‎2019-06-24

QUIC is bloked.

PhoneBoy · ‎2019-06-23

The actual log messages (accept and drop) would be helpful here.
Not to mention elaborating on exact version/JHF level.

Are you a member of CheckMates?

Content Awareness does not match to rule