This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JPR
Collaborator
‎2023-04-20 02:10 AM
Jump to solution

Content Awareness not working properly

Hi all,

I’m using Content Awareness to block for exe files, however, I’m having difficulties making it work properly.

At the moment it is a very simple rule:

src=IP’s of internal hosts

Dst = Internet

Services & Applications = Any

Content = (Any Direction) Executable File

Action = Drop

I’m testing with 7-zip from https://www.7-zip.org/download.html. When I download the x64 version it downloads and doesn’t register the exe file. However, when I download the x32 version it blocks it accordring to the rule.

I’m also using HTTPS Inspection and it inspects traffic in both instances according to policy.

Version: R81, Take 81

Have any of you experienced anything like this and have any ideas as to how to fix it?

Thanks.

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-04-25 06:07 PM
In response to JPR
Jump to solution

You can see in the services column that the browser is using QUIC protocol for the communication in some cases rather than HTTPS.

The Gateway cannot inspect QUIC traffic in current versions and it is recommended to block it (or disable it in the browser) to force the use of HTTPS instead which in turn should allow Content Awareness to apply.

Refer also: sk108202 / sk111754 / sk112249

 

CCSM R77/R80/ELITE

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2023-04-21 01:10 PM
Jump to solution

What precise rule accepts the traffic otherwise?
In any case, I recommend a TAC case to assist in troubleshooting: https://help.checkpoint.com 

the_rock
MVP Platinum
MVP Platinum
‎2023-04-21 01:20 PM
Jump to solution

Thats wrong and I will tell you why. I know it may sound stupid what I will say now, but, when it comes to content awareness, using services as any will never work properly. You need to use http and https in there.

Give that a go and see what happens. If still same issue, please send a screenshot (blur out any sensitive info). I spent way too many hours with TAC escalations working on this lol

Cheers,

Andy

Best,
Andy
the_rock
MVP Platinum
MVP Platinum
‎2023-04-23 07:50 AM
In response to Chris_Atkinson
Jump to solution

See, the issue is, I only worked with 1 esc. guy who knew anything about content awareness. Now, in all fairness, I cant blame TAC for that, as its probably not something lots of customers use, so I dont expect to get someone with solid knowledge about it, its more trial and error as they say. Thats why I have it configured in the lab, so no one cares if it breaks, easy to reconfigure again : - )

Best,
Andy
0 Kudos
JPR
Collaborator
‎2023-04-25 02:59 AM
In response to the_rock
Jump to solution

Thanks for your reply.

I've now tried this and it didn't solve the issue, unfortunately, However, I seem to have been able to create a scenario, when it works - and when it doesn't.

If I open Chrome in Incognito and paste this URL into my browser: Thanks for your reply.

I've now tried this and it didn't solve the issue, unfortunately, However, I seem to have been able to create a scenario, when it works - and when it doesn't.

If I open Chrome in Incognito and paste this URL (mirror site to download VLC, but slightly sanitized) into my browser: https://mirror.safe-con[.]dk/vlc/vlc/3.0.18/win64/vlc-3.0.18-win64.exe it blocks it according to the rule (208 in screenshot). If I then try again it accepts it and skips the rule and accepts it (rule 239 in screenshot):

 

sc1.png


At the moment the rule looks as follows:

sc2.png

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-04-25 06:07 PM
In response to JPR
Jump to solution

You can see in the services column that the browser is using QUIC protocol for the communication in some cases rather than HTTPS.

The Gateway cannot inspect QUIC traffic in current versions and it is recommended to block it (or disable it in the browser) to force the use of HTTPS instead which in turn should allow Content Awareness to apply.

Refer also: sk108202 / sk111754 / sk112249

 

CCSM R77/R80/ELITE

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events