Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Champion
Champion

Content awareness question

Hey guys,

Sorry if I posted this in the wrong location. I have an inquiry about content awareness blade. So, the gist of it is this...customer simply wants to block certain people in his network from being able to download any exe files anywhere from the Internet. Now, here is what we tested in my lab.

Setup...its all on R81.10 jumbo 61 and windows 10 VM. So, on the gateway (its single fw), I enabled https inspection (works fine), along with content awareness as well. There are 3 ordered layers...network, app/url and content awareness. Now in content awareness blade, we have 2 rules, first one is to block any exe files from my windows 10 machine out to Internet and we also set up block message notification, but never comes up when exe file is blocked. Worse that that, it works very inconsistent, which we also showed to TAC on the call the other day.

Im not sure what is missing here, because all the guides I read, it seems pretty straight forward and rule itself does have 3k hits, so it does work, but as I said, its very inconsistent.

Anyone has any experience with content awareness blade that could help out?

Btw, here is what TAC gave us, but even though this works for google chrome, does not work for other browsers (I can download exe files via mozilla and Edge browsers)

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Thanks as always!

Screenshot_1.png

0 Kudos
8 Replies
Chris_Atkinson
Employee
Employee

Must admit first thing that comes to mind is which browser and is Quic allowed or blocked on the same environment?

0 Kudos
the_rock
Champion
Champion

When I implemented sk in my windows 10 on chrome, windows and mozilla, exe files ONLY got blocked on google chrome, thats it. Plus, this is not even scalable or acceptable solution or even workaround in my opinion. Say you had company with 10K employees and you want to block 2000 of them downloading exe files off the Internet...there is no way 2000 people would do this process manually : - )

0 Kudos
the_rock
Champion
Champion

By the way, just tested in my windows lab behind gw on google chrome 4 times and exe download worked every single time just fine.

0 Kudos
Vladimir
Champion
Champion

If you want consistent action for content awareness based on file type, use HTTP/HTTPS in the Services of the rules.

Do not use UserCheck in the same rule unless you are also using UserCheck client on the endpoints: you'll see redirects in the logs instead of the Blocked page. You've seen this before in my old thread:)

https://community.checkpoint.com/t5/Management/Content-Awareness-things-that-do-not-work/m-p/139442

 

the_rock
Champion
Champion

Interesting, thank you @Vladimir . I will try that now and update you.

0 Kudos
the_rock
Champion
Champion

I think that may had been it, will ask customer to test! Tx a lot Vladimir.

0 Kudos
Vladimir
Champion
Champion

You are quite w:)lcome

the_rock
Champion
Champion

K, so that exact lab setup I had did not work for customer, so we left rule as src -any dst-Internet and services http/https/ block exe files, so they will monitor and let me know next week.

0 Kudos