I ran the HTTP Process debug with a source IP filter at a low traffic period and the gateway (6400) seemed to have a hard time loading all internet sites , even though I used a source IP filter, so I stopped it:

fw ctl set int simple_debug_filter_off 1

fw ctl set str simple_debug_filter_saddr_1 "10.1.142.9"

fw ctl debug 0
fw ctl debug -buf 32000
fw ctl debug -m fw + advp cmi conn drop cptls log vm
fw ctl debug -m cmi_loader all
fw ctl debug -m WS + spii info session pkt_dump global policy module ssl_insp body connection
fw ctl debug -m cpcode + echo policy ioctl run persist init vm cplog csv io url kisspm
fw ctl debug -m UP all
fw ctl debug -m FILEAPP all
fw ctl debug -m dlpda all
fw ctl set int cmi_dump_buffer 1
fw ctl kdebug -T -f > /var/log/kernel_debug_output.txt

Also, in this doc:

https://support.checkpoint.com/results/sk/sk114640

it mentions at the bottom that:

Content Awareness does not scan HTML files (for type and content) which are downloaded using the HTTP "GET" method over HTTP because it could have a high adverse affect on the Security Gateway performance.

Not sure how to check on the above for the particular site.

Hi Andy,

As mentioned in original post, I see that the website in question is https inspected since I see the Checkpoint cert when checking the certificate on the website. 

Still wondering whether there is something about the way the file gets downloaded from  https://mytool.dev/code-editor/bat

and if it relates to the comment in the SK:

Content Awareness does not scan HTML files (for type and content) which are downloaded using the HTTP "GET" method over HTTP because it could have a high adverse affect on the Security Gateway performance.

Not sure how to check on the above for the particular site. 

Do you see anything about it in the logs?

Andy

Hi Andy,

I have mentioned in the original post that I don't see anything in the logs when I press the download button. 

Do you have any idea about the comment in the SK:

Content Awareness does not scan HTML files (for type and content) which are downloaded using the HTTP "GET" method over HTTP because it could have a high adverse affect on the Security Gateway performance.

I wonder if this download falls under this category of download, but not sure how to check.

A.

Maybe the test url is just not a good test? Is there some other way you can attempt to download a bat? Also: dmg$|.*\.rpm$|.*\.bat$

all these have issues or only bat? Has the other ones been tested?

Not sure if this is something with the particular site, but this is the site we use to test. 

Looking at logs, I see that just today there was a .bat file blocked, see below, but still I need to understand why it doesn't block from  https://mytool.dev/code-editor/bat.

I think it is time to open TAC case to confirm why this website is not blocked.

I will test this in the lab. Here is what I gathered from working with escalation guy (he was great btw) 2 years ago when customer had content awareness issue.

He said that key is to NOT have specific updatable objects bypassed in https inspection, but rather allow in ordered url / app control layer. If they are bypassed in https inspection, then it will never hit last ordered layer, in our case content awareness, since https traffic would have already been processed.

Andy

It would help if someone can test in lab. 

Since I see the certificate that the gateway introduces during HTTPs inspection on the website Security, I am pretty certain that HI is not getting bypassed. The download button seems to be producing a link like this:

blob:https://mytool.dev/1d50c3e8-a157-4e3f-90fa-cdbd241920f9

When I replay this link I get a 404 error, which means it's a one off link. And again, I see the inspection certificate shown in the browser. 

Im on it brother 🙂

Will update you later when I have some more info.

Andy

Just tested and even applied same thing esc. engineer asked us back in 2022 and no luck. I have to say, as much as I love the idea of using this blade, Im not impressed with it at all. Its so convoluted to actually make it work and does not seem its much better even in R81.20.

Maybe R82 will bring some changes to it, not sure. I think opening TAC case would be your best bet.

Andy

ok thanks will open a case

Please keep us posted how it gets solved.

Andy

Quick update. Created same rule like one you have, BUT, instead of services any, used http and https, it works intermittently...really annoying.

Andy

I assume you'd need to use Chrome Development Tools to see how this is operating or some sort of extension.
Looking at the page, I suspect Javascript is involved here.

Access Policy rules that allow access to this site should be logged as Extended.
This will ensure that every URL accessed is logged and I believe it also logs the HTTP action (e.g. GET).