This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2022-06-29 06:41 AM

Content awareness question

Hey guys,

Sorry if I posted this in the wrong location. I have an inquiry about content awareness blade. So, the gist of it is this...customer simply wants to block certain people in his network from being able to download any exe files anywhere from the Internet. Now, here is what we tested in my lab.

Setup...its all on R81.10 jumbo 61 and windows 10 VM. So, on the gateway (its single fw), I enabled https inspection (works fine), along with content awareness as well. There are 3 ordered layers...network, app/url and content awareness. Now in content awareness blade, we have 2 rules, first one is to block any exe files from my windows 10 machine out to Internet and we also set up block message notification, but never comes up when exe file is blocked. Worse that that, it works very inconsistent, which we also showed to TAC on the call the other day.

Im not sure what is missing here, because all the guides I read, it seems pretty straight forward and rule itself does have 3k hits, so it does work, but as I said, its very inconsistent.

Anyone has any experience with content awareness blade that could help out?

Btw, here is what TAC gave us, but even though this works for google chrome, does not work for other browsers (I can download exe files via mozilla and Edge browsers)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Thanks as always!

Screenshot_1.png

0 Kudos
8 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-06-29 06:52 AM

Must admit first thing that comes to mind is which browser and is Quic allowed or blocked on the same environment?

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2022-06-29 06:54 AM
In response to Chris_Atkinson

When I implemented sk in my windows 10 on chrome, windows and mozilla, exe files ONLY got blocked on google chrome, thats it. Plus, this is not even scalable or acceptable solution or even workaround in my opinion. Say you had company with 10K employees and you want to block 2000 of them downloading exe files off the Internet...there is no way 2000 people would do this process manually : - )

0 Kudos
the_rock
Legend
Legend
‎2022-06-29 07:03 AM
In response to Chris_Atkinson

By the way, just tested in my windows lab behind gw on google chrome 4 times and exe download worked every single time just fine.

0 Kudos
Vladimir
Champion
Champion
‎2022-06-29 07:58 AM

If you want consistent action for content awareness based on file type, use HTTP/HTTPS in the Services of the rules.

Do not use UserCheck in the same rule unless you are also using UserCheck client on the endpoints: you'll see redirects in the logs instead of the Blocked page. You've seen this before in my old thread:)

https://community.checkpoint.com/t5/Management/Content-Awareness-things-that-do-not-work/m-p/139442

 

the_rock
Legend
Legend
‎2022-06-29 08:00 AM
In response to Vladimir

Interesting, thank you @Vladimir . I will try that now and update you.

0 Kudos
the_rock
Legend
Legend
‎2022-06-29 08:06 AM
In response to Vladimir

I think that may had been it, will ask customer to test! Tx a lot Vladimir.

0 Kudos
Vladimir
Champion
Champion
‎2022-06-29 08:47 AM
In response to the_rock

You are quite w:)lcome

the_rock
Legend
Legend
‎2022-06-29 02:59 PM
In response to Vladimir

K, so that exact lab setup I had did not work for customer, so we left rule as src -any dst-Internet and services http/https/ block exe files, so they will monitor and let me know next week.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events