Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JPR
Contributor

UserCheck page seemingly working randomly

Hi all,

I'm blocking Executables among other file types with Content Awareness and configured it to display a blocked UserCheck message when it hits that rule. However, the block message is not working all the time and I can't precisely figure out why.

This is the rule:

rule.png

And this is logs when it works:

works.png

And this is logs when it doesn't work (the rule as such works, however, it doesn't display the block message; it just cancels the download):

notworking.png

So, the apparent difference is that when it doesn't show the UserCheck message, the action is "Redirect" and when it does show it it's "Block". I've found another post discussing this, however, not a solution: https://community.checkpoint.com/t5/Management/Content-Awareness-things-that-do-not-work/m-p/139442#...

Is there a reason to this behaviour? And is it fixed in a later version? Running R81.

Thanks!

Best regards

0 Kudos
7 Replies
G_W_Albrecht
Legend
Legend

JPR
Contributor

Hi,

Thanks for your reply, however, I don't think it addresses my issue. It seems like it only fails to display the UserCheck message when the download link redirects the actual download somewhere else and it might be something to do what PhoneBoy mentions that it's simply not possible to inject the UserCheck page in the connection stream.

0 Kudos
the_rock
Legend
Legend

I had this issue before and below is how I fixed it.

Andy

 

 

Screenshot_1.png

 

JPR
Contributor

Hi Andy,

Thanks for your reply. Unfortunately it didn't resolve the issue.

I suspect it has something to do with what PhoneBoy mentions in his comment, because it seems only to malfunction when the download link redirects the download to somewhere else which also would explain the "Redirect" log.

0 Kudos
the_rock
Legend
Legend

You need https inspection 100%. Without it, even for URLF blade, it will just show you goofy page that its reset or something like that, so to a regular user, they will be calling your help desk all day long : - )

Andy

Timothy_Hall
Champion Champion
Champion

I've seen this before, if a detection was made in an HTTP download stream a UserCheck cannot be displayed since the browser is just expecting a stream of downloaded bytes that it is directing into a file, it is not parsing the downloaded contents for HTML code that could display a UserCheck to the user.  A TCP RST and failed download is the only way out here.  The "Redirect" action you saw means that a UserCheck was configured to be sent, but could not be for technical reasons, and the user never saw it.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
PhoneBoy
Admin
Admin

Depending on when in the connection stream we detect an executable is being downloaded, it may not be possible to inject a UserCheck page.
This almost certainly will require HTTPS Inspection to be enabled as well. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events