This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Fedor_Agafonov1
Contributor
‎2019-06-21 05:14 AM

Content Awareness does not match to rule

Hello,

We have two web site: https://habr.com and  https://habrastorage.org .

 habr.com use images from https://habrastorage.org/ .

https://habrastorage.org/ include in URLs Categories : File Storage  and Sharing .

 

We need to  block  URLs Categories : File Storage  and Sharing, but  images on habr.com   need to be work.

We create two rules 

 

1.

image.png

 

2.

image.png

but it isn't work... 

for example image:  https://habrastorage.org/getpro/habr/post_images/b09/090/87b/b0909087b281cd74df8fc2de8735758b.png

not match on firts rule. it match on the second rule.

 

0 Kudos
14 Replies
Vladimir
Champion
Champion
‎2019-06-21 05:58 AM

Please verify that habr.com has "File Storage and Sharing" category associated with it.

You can create a custom app with its domain name and assign all necessary categories.

Alternatively, you can assign whatever category you want to the custom app for this domain, but use it in the top rule "Services and Application" column.

0 Kudos
Fedor_Agafonov1
Contributor
‎2019-06-22 06:46 AM
In response to Vladimir

habr.com has is not associate "File Storage and Sharing".
habr.com use image from https://habrastorage.org/ only.
https://habrastorage.org/ is associate "File Storage and Sharing"


0 Kudos
Vladimir
Champion
Champion
‎2019-06-22 06:53 AM
In response to Fedor_Agafonov1

Can you create and test a new rule by downloading .png files from elsewhere?

I'd like to see if it is a problem related to the content recognition.

Another good test would be to change the extension (for instance .docx to .png and try to download that file.

0 Kudos
Fedor_Agafonov1
Contributor
‎2019-06-22 08:00 AM
In response to Vladimir

We tryed. It's not worked. If on inline policy have block rule on Categories, content awarnes not work on previevs rule.
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-06-22 07:03 AM
In response to Fedor_Agafonov1

As a test in your first rule in the Content field, set for "Any Direction, Any File" (not just "Any").  Do the PNG images now match the first rule?  Just trying to see if Content Awareness is detecting things correctly at all in your situation...

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Fedor_Agafonov1
Contributor
‎2019-06-22 07:40 AM
In response to Timothy_Hall

image.png

not match.

Also match on second rule.

in habr i see:

image.png

habrastarage.org is block:

image.png

 

 

 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-06-22 10:36 AM
In response to Fedor_Agafonov1

Why did you change the destination from "Any" to "Internet" in your second rule?  Is your firewall topology configured completely and correctly so that object "Internet" is calculated properly?

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-06-21 06:00 AM

Do you have HTTPS Inspection enabled?  My guess is no.  The second rule works because the application can be detected based on the site name without full HTTPS Inspection.  The first rule doesn't work because Content Awareness cannot see the prohibited content you are trying to match inside the encrypted HTTPS connection unless HTTP Inspection is enabled.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Vladimir
Champion
Champion
‎2019-06-21 06:23 AM
In response to Timothy_Hall

@Timothy_Hall , you got to be right about HTTPS. After re-reading the original post, I see that the category does match on a second rule and not just dropping on cleanup. That's pretty convincing.

0 Kudos
Fedor_Agafonov1
Contributor
‎2019-06-22 06:42 AM
In response to Vladimir

Https inspection is enable.
0 Kudos
Fedor_Agafonov1
Contributor
‎2019-06-22 06:40 AM
In response to Timothy_Hall

Https inspection is enable, and work good.
We also enable kernel parameter "fw ctl set int fileapp_parse_html 1" . (sk114640)
0 Kudos
Vladimir
Champion
Champion
‎2019-06-23 06:28 AM
In response to Fedor_Agafonov1

Any chance you are downloading the files using QUIC?

 

Fedor_Agafonov1
Contributor
‎2019-06-24 02:21 AM
In response to Vladimir

 QUIC is bloked.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-06-23 01:08 PM

The actual log messages (accept and drop) would be helpful here.
Not to mention elaborating on exact version/JHF level.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events