This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Antonis_Hassiot
Contributor
Wednesday

Content awareness and blocking .bat files issue

Trying to block download of specific file types using Content Awareness. 

I have two rules in Content Awareness for this:

One that blocks downloads based on filename:

.*\.dmg$|.*\.rpm$|.*\.bat$

Another that blocks executables and archives:

Screenshot 2024-11-27 155332.png

Although I see that different file extensions are getting blocked, I can't see any .bat files getting blocked.

When I test using https://mytool.dev/code-editor/bat

I can always Download the .bat file. 

I don't see anything in the SmartConsole logs. 

I see that the site is getting HTTPS inspected.

Version is 81.20 Take 89 

I have TLS1.3 inspection enabled and changed HI to Hold mode. The issue is still there. 

I don't know how to go about troubleshooting this. 

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
Wednesday

This SK has debugging steps: https://support.checkpoint.com/results/sk/sk119715
I suspect you'll need to engage the TAC at some point here as well.

0 Kudos
Antonis_Hassiot
Contributor
16 hours ago
In response to PhoneBoy

I ran the HTTP Process debug with a source IP filter at a low traffic period and the gateway (6400) seemed to have a hard time loading all internet sites , even though I used a source IP filter, so I stopped it:

fw ctl set int simple_debug_filter_off 1

fw ctl set str simple_debug_filter_saddr_1 "10.1.142.9"

fw ctl debug 0
fw ctl debug -buf 32000
fw ctl debug -m fw + advp cmi conn drop cptls log vm
fw ctl debug -m cmi_loader all
fw ctl debug -m WS + spii info session pkt_dump global policy module ssl_insp body connection
fw ctl debug -m cpcode + echo policy ioctl run persist init vm cplog csv io url kisspm
fw ctl debug -m UP all
fw ctl debug -m FILEAPP all
fw ctl debug -m dlpda all
fw ctl set int cmi_dump_buffer 1
fw ctl kdebug -T -f > /var/log/kernel_debug_output.txt

Also, in this doc:

https://support.checkpoint.com/results/sk/sk114640

it mentions at the bottom that:

Content Awareness does not scan HTML files (for type and content) which are downloaded using the HTTP "GET" method over HTTP because it could have a high adverse affect on the Security Gateway performance.

Not sure how to check on the above for the particular site.

0 Kudos
the_rock
Legend
Legend
10 hours ago

See if below helps. I had a case with a customer about 2 years ago for content awareness issue and it ended up with escalation engineer and he was superb, explained everything to us in a way that made total sense and was really easy to understand. So, to make a long story short, client had ssl inspection enabled, but it was just the way certain rules and features had to be "jumbled around" to make this work.

I pasted what engineer told us about it, but if its not clear, let me know.

Andy

 

***********************************

As discussed we would require HTTPS inspection enabled for the https connections where we want to enforce content awareness. If we are not inspecting such https connections their is no way for the firewall to understand what content is been requested since the data would be encrypted. 

Inspection allows the firewall to go inside the packet and view the unencrypted data thereby classifying the file type, file name etc which is downloaded/uploaded. More on content awareness, after these attributes are identified the usermode processes verify if such content is allowed or blocked. The decision/verdict is provided to the rule base execution engine and the final enforcement block/accept is enforced accordingly. 

******************************************************

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events