Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Fedor_Agafonov1
Contributor

Content Awareness does not match to rule

Hello,

We have two web site: https://habr.com and  https://habrastorage.org .

 habr.com use images from https://habrastorage.org/ .

https://habrastorage.org/ include in URLs Categories : File Storage  and Sharing .

 

We need to  block  URLs Categories : File Storage  and Sharing, but  images on habr.com   need to be work.

We create two rules 

 

1.

image.png

 

2.

image.png

but it isn't work... 

for example image:  https://habrastorage.org/getpro/habr/post_images/b09/090/87b/b0909087b281cd74df8fc2de8735758b.png

not match on firts rule. it match on the second rule.

 

0 Kudos
14 Replies
Vladimir
Champion
Champion

Please verify that habr.com has "File Storage and Sharing" category associated with it.

You can create a custom app with its domain name and assign all necessary categories.

Alternatively, you can assign whatever category you want to the custom app for this domain, but use it in the top rule "Services and Application" column.

0 Kudos
Fedor_Agafonov1
Contributor

habr.com has is not associate "File Storage and Sharing".
habr.com use image from https://habrastorage.org/ only.
https://habrastorage.org/ is associate "File Storage and Sharing"


0 Kudos
Vladimir
Champion
Champion

Can you create and test a new rule by downloading .png files from elsewhere?

I'd like to see if it is a problem related to the content recognition.

Another good test would be to change the extension (for instance .docx to .png and try to download that file.

0 Kudos
Fedor_Agafonov1
Contributor

We tryed. It's not worked. If on inline policy have block rule on Categories, content awarnes not work on previevs rule.
0 Kudos
Timothy_Hall
Legend Legend
Legend

As a test in your first rule in the Content field, set for "Any Direction, Any File" (not just "Any").  Do the PNG images now match the first rule?  Just trying to see if Content Awareness is detecting things correctly at all in your situation...

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Fedor_Agafonov1
Contributor

image.png

not match.

Also match on second rule.

in habr i see:

image.png

habrastarage.org is block:

image.png

 

 

 

0 Kudos
Timothy_Hall
Legend Legend
Legend

Why did you change the destination from "Any" to "Internet" in your second rule?  Is your firewall topology configured completely and correctly so that object "Internet" is calculated properly?

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Timothy_Hall
Legend Legend
Legend

Do you have HTTPS Inspection enabled?  My guess is no.  The second rule works because the application can be detected based on the site name without full HTTPS Inspection.  The first rule doesn't work because Content Awareness cannot see the prohibited content you are trying to match inside the encrypted HTTPS connection unless HTTP Inspection is enabled.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Vladimir
Champion
Champion

@Timothy_Hall , you got to be right about HTTPS. After re-reading the original post, I see that the category does match on a second rule and not just dropping on cleanup. That's pretty convincing.

0 Kudos
Fedor_Agafonov1
Contributor

Https inspection is enable.
0 Kudos
Fedor_Agafonov1
Contributor

Https inspection is enable, and work good.
We also enable kernel parameter "fw ctl set int fileapp_parse_html 1" . (sk114640)
0 Kudos
Vladimir
Champion
Champion

Any chance you are downloading the files using QUIC?

 

Fedor_Agafonov1
Contributor

 QUIC is bloked.

0 Kudos
PhoneBoy
Admin
Admin

The actual log messages (accept and drop) would be helpful here.
Not to mention elaborating on exact version/JHF level.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events