Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Antonis_Hassiot
Contributor

Content awareness and blocking .bat files issue

Trying to block download of specific file types using Content Awareness. 

I have two rules in Content Awareness for this:

One that blocks downloads based on filename:

.*\.dmg$|.*\.rpm$|.*\.bat$

Another that blocks executables and archives:

Screenshot 2024-11-27 155332.png

Although I see that different file extensions are getting blocked, I can't see any .bat files getting blocked.

When I test using https://mytool.dev/code-editor/bat

I can always Download the .bat file. 

I don't see anything in the SmartConsole logs. 

I see that the site is getting HTTPS inspected.

Version is 81.20 Take 89 

I have TLS1.3 inspection enabled and changed HI to Hold mode. The issue is still there. 

I don't know how to go about troubleshooting this. 

 

0 Kudos
19 Replies
PhoneBoy
Admin
Admin

This SK has debugging steps: https://support.checkpoint.com/results/sk/sk119715
I suspect you'll need to engage the TAC at some point here as well.

0 Kudos
Antonis_Hassiot
Contributor

I ran the HTTP Process debug with a source IP filter at a low traffic period and the gateway (6400) seemed to have a hard time loading all internet sites , even though I used a source IP filter, so I stopped it:

fw ctl set int simple_debug_filter_off 1

fw ctl set str simple_debug_filter_saddr_1 "10.1.142.9"

fw ctl debug 0
fw ctl debug -buf 32000
fw ctl debug -m fw + advp cmi conn drop cptls log vm
fw ctl debug -m cmi_loader all
fw ctl debug -m WS + spii info session pkt_dump global policy module ssl_insp body connection
fw ctl debug -m cpcode + echo policy ioctl run persist init vm cplog csv io url kisspm
fw ctl debug -m UP all
fw ctl debug -m FILEAPP all
fw ctl debug -m dlpda all
fw ctl set int cmi_dump_buffer 1
fw ctl kdebug -T -f > /var/log/kernel_debug_output.txt

Also, in this doc:

https://support.checkpoint.com/results/sk/sk114640

it mentions at the bottom that:

Content Awareness does not scan HTML files (for type and content) which are downloaded using the HTTP "GET" method over HTTP because it could have a high adverse affect on the Security Gateway performance.

Not sure how to check on the above for the particular site.

0 Kudos
the_rock
Legend
Legend

See if below helps. I had a case with a customer about 2 years ago for content awareness issue and it ended up with escalation engineer and he was superb, explained everything to us in a way that made total sense and was really easy to understand. So, to make a long story short, client had ssl inspection enabled, but it was just the way certain rules and features had to be "jumbled around" to make this work.

I pasted what engineer told us about it, but if its not clear, let me know.

Andy

 

***********************************

As discussed we would require HTTPS inspection enabled for the https connections where we want to enforce content awareness. If we are not inspecting such https connections their is no way for the firewall to understand what content is been requested since the data would be encrypted. 

Inspection allows the firewall to go inside the packet and view the unencrypted data thereby classifying the file type, file name etc which is downloaded/uploaded. More on content awareness, after these attributes are identified the usermode processes verify if such content is allowed or blocked. The decision/verdict is provided to the rule base execution engine and the final enforcement block/accept is enforced accordingly. 

******************************************************

 

0 Kudos
Antonis_Hassiot
Contributor

Hi Andy,

As mentioned in original post, I see that the website in question is https inspected since I see the Checkpoint cert when checking the certificate on the website. 

Still wondering whether there is something about the way the file gets downloaded from  https://mytool.dev/code-editor/bat

and if it relates to the comment in the SK:

Content Awareness does not scan HTML files (for type and content) which are downloaded using the HTTP "GET" method over HTTP because it could have a high adverse affect on the Security Gateway performance.

Not sure how to check on the above for the particular site. 

0 Kudos
the_rock
Legend
Legend

Do you see anything about it in the logs?

Andy

0 Kudos
Antonis_Hassiot
Contributor

Hi Andy,

I have mentioned in the original post that I don't see anything in the logs when I press the download button. 

Do you have any idea about the comment in the SK:

Content Awareness does not scan HTML files (for type and content) which are downloaded using the HTTP "GET" method over HTTP because it could have a high adverse affect on the Security Gateway performance.

I wonder if this download falls under this category of download, but not sure how to check.

A.

0 Kudos
Lesley
Leader Leader
Leader

Maybe the test url is just not a good test? Is there some other way you can attempt to download a bat? Also: dmg$|.*\.rpm$|.*\.bat$

all these have issues or only bat? Has the other ones been tested?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Antonis_Hassiot
Contributor

Not sure if this is something with the particular site, but this is the site we use to test. 

Looking at logs, I see that just today there was a .bat file blocked, see below, but still I need to understand why it doesn't block from  https://mytool.dev/code-editor/bat.

Screenshot 2024-12-02 122248.png
0 Kudos
Lesley
Leader Leader
Leader

I think it is time to open TAC case to confirm why this website is not blocked.

 

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
the_rock
Legend
Legend

I will test this in the lab. Here is what I gathered from working with escalation guy (he was great btw) 2 years ago when customer had content awareness issue.

He said that key is to NOT have specific updatable objects bypassed in https inspection, but rather allow in ordered url / app control layer. If they are bypassed in https inspection, then it will never hit last ordered layer, in our case content awareness, since https traffic would have already been processed.

Andy

0 Kudos
Antonis_Hassiot
Contributor

It would help if someone can test in lab. 

Since I see the certificate that the gateway introduces during HTTPs inspection on the website Security, I am pretty certain that HI is not getting bypassed. The download button seems to be producing a link like this:

blob:https://mytool.dev/1d50c3e8-a157-4e3f-90fa-cdbd241920f9

When I replay this link I get a 404 error, which means it's a one off link. And again, I see the inspection certificate shown in the browser. 

0 Kudos
the_rock
Legend
Legend

Im on it brother 🙂

Will update you later when I have some more info.

Andy

the_rock
Legend
Legend

Just tested and even applied same thing esc. engineer asked us back in 2022 and no luck. I have to say, as much as I love the idea of using this blade, Im not impressed with it at all. Its so convoluted to actually make it work and does not seem its much better even in R81.20.

Maybe R82 will bring some changes to it, not sure. I think opening TAC case would be your best bet.

Andy

Antonis_Hassiot
Contributor

ok thanks will open a case

(1)
the_rock
Legend
Legend

Please keep us posted how it gets solved.

Andy

0 Kudos
the_rock
Legend
Legend

Quick update. Created same rule like one you have, BUT, instead of services any, used http and https, it works intermittently...really annoying.

Andy

0 Kudos
Antonis_Hassiot
Contributor

Tried that now, I never get any hits on the policy for the specific site. 

0 Kudos
PhoneBoy
Admin
Admin

I assume you'd need to use Chrome Development Tools to see how this is operating or some sort of extension.
Looking at the page, I suspect Javascript is involved here.

Access Policy rules that allow access to this site should be logged as Extended.
This will ensure that every URL accessed is logged and I believe it also logs the HTTP action (e.g. GET).

0 Kudos
Antonis_Hassiot
Contributor

The problem is I don't get any hits in the specific policy. The gateway doesn't 'see' the file download. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events