Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

TZ470w - URI lists and GAV

Simon_WeelSimon_Weel Enthusiast ✭✭
edited September 2022 in Firewall Security Services

The website https://ambientcg.com/ contains all kinds of bitmaps. When we try to download a ZIPped bitmap, it's blocked by GAV since we have Block files with multiple levels of zip/gzip compression enabled. So I made an address object for the aforementioned website and added that to the group allowed exclusions for GAV. That didn't seem to work. Turns out the bitmaps come from a CDN: cdn3.struffelproductions.com/file/ambientCG/download. So I created a URI list object with this name and added it to a group for allowed URI's:


And added that group to the CFS Default Profile:


Unfortunately, this doesn't seem to work. Files are still intercepted by GAV:


How to get this site to bypass GAV?

Category: Firewall Security Services
Reply

Answers

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @Simon_Weel

    Exclude those URL/FQDN address object from GAV.


  • Simon_WeelSimon_Weel Enthusiast ✭✭
    edited September 2022

    @Ajishlal : Yes, that would work. Thing is, more and more websites host their data on a CDN. Bypassing a whole CDN means all data from that CDN bypasses GAV. You don't want that. So that's where the URI comes into play - it gives a more granular means of bypassing GAV for just a part of a CDN.

    Since that doesn't seem to work, I wonder in which order the firewall processes the security policies. It looks like GAV has the last word, regardless the URI allow list in the CFS profile. That, or I'm doing something wrong....

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @Simon_Weel

    As per your firewall log. It's blocking by the GAV & that's why i suggested to exclude if its legitimate fqdn for downloading the zip.

    The zip block is defined in the GAV policy so you would have to exclude from that policy only if you want to download the particular zip file.

  • Simon_WeelSimon_Weel Enthusiast ✭✭
    edited September 2022

    @Ajishlal : I understand, but IMO you seem to miss the point? I don't want to exclude the whole domain in case of a CDN. It's like giving carte blanche to all (mis)users of that CDN. By using an URI, you can pinpoint just a fraction of a CDN. My thought was that URI's on the allow list would not be blocked by any service. That doesn't seem to be the case. And unfortunately, the allow list for, as example, the GAV Service, only accepts domain names / IP-addresses. You can't use URI Lists to be excluded from GAV.

    Maybe I should rephrase the question: How can I exclude part of a domain in GAV?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Simon_Weel if you have DPI-SSL running, you could create a Match Object for the URL in question, create an App Rule for it and use the default Action Bypass GAV, that should do the trick.

    --Michael@BWC

  • Simon_WeelSimon_Weel Enthusiast ✭✭
    edited September 2022

    @BWC : tried it. Won't budge. Created a Match Object:

    NB: tried different 'Match Object Types' like HTTP URL and HTTP Host. Also tried all different 'Match Types'.

    Then made an App Rule policy:

    Doesn't work. As soon as I switch off DPI SSL, I can download files without problems. Which makes sense, since in that case the firewall no longer performs any security service at all.

    DPI SSL settings:


    I'm at a loss. I just don't know how to get this working.....

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Simon_Weel I tried to reproduce, but no download gave me that GAV block. Does it happen for any download you try?

    --Michael@BWC

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @Simon_Weel

    I did the test with my Gen6 unit & its working. Downloaded the zip file without any issue and i didn't exclude the CDN or FQDN.

    GAV Configuration:

    DPI-SSL Configuration:

    I dont have Gen7 unit with DPI-SSL to do the test.

  • Simon_WeelSimon_Weel Enthusiast ✭✭

    @BWC : yes, for this particular site it doesn't matter what file I try to download. They're all blocked by GAV.

    @Ajishlal : your settings are pretty much the same as mine? Which only adds to the question why it doesn't work for me....

    If I switch off Block files with multiple levels of zip/gzip compression I can download without problem. Also makes sense - most of the files on that site are jpg files, which is a form of ZIP. I guess the site owner wants to shave off a couple of bytes by ZIPping the bitmaps. And thus they become a multi-level zip-file.

    Forgot to mention we also have Capture ATP, which for the time being I have set to Allow file download while awaiting a verdict.

    Could this be a bug in the firewall? It runs version SonicOS 7.0.1-5080

  • Simon_WeelSimon_Weel Enthusiast ✭✭

    It's been months now and still have no resolution for this problem. There's a new kid on the block, posing the same problem. This time, it's Dalux (BIM software for construction management). When using the website to open a building model, the browser starts to download a ZIP file from https://s3-eu-west-1.amazonaws.com/com.bimserver.cache/sitexxxx and then GAV kicks in: Gateway Anti-Virus Alert: Multi-compressed ZIP/GZIP file blocked.

    So I did what I tried in vain before - creating a 'Match Object' for the above HTTP URI. And the mandatory App Rule for this site to bypass GAV. And as expected, doesn't work. When in App Rules hovering over the entry just made and tried, it lists no hits (Time Matched). Tried all kinds of settings, but without any result.

    Is there any way to trouble-shoot this issue?

  • CornersCorners Newbie ✭

    I have this same scenario for a specific download that is hosted in AWS S3. Defiantly don't want to bypass the domain, but the subfolders are unique.

  • Simon_WeelSimon_Weel Enthusiast ✭✭

    I was asked to contact (phone) Sonicwall support. Now my English writing isn't so bad, but speaking isn't as easy- especially when it's technical. So I put it on the back burner....

  • CornersCorners Newbie ✭

    I opened a ticket and this is the official response:

    "Thank you for contacting SonicWall. we cannot exclude one sub folder on a a website. Firewall doesn't work on that layer of traffic. we can exclude an domain or ip address not something within that IP"

    I will followup as they also included a note to contact them for more in-depth troubleshooting.

  • Simon_WeelSimon_Weel Enthusiast ✭✭

    Like 'We don't feel like to answer the question'. Duh. I take it you already had a look at this page: How to allow or block URI and sub-domains using Content Filtering | SonicWall

    Iv'e been studying this page and it all seems rather easy, yet it doesn't seem to work. At least not on my side....

  • PochoPocho Newbie ✭

    I looked at the original side https://ambientcg.com/ and when downloading the files the way the request is being formed seems to change a bit, and the URI filed or host field do not match when you use that type of app rule. I am sure if you can capture the entire transaction and look through it you may be able to determine a very specific rule that will work, however I did not really want to spend that much time on it or rather I do not have the space to save the entire capture to a server to review it. On this cases I just generally take the easy option out and use custom app rules. For the one from the OP using a custom rule with a custom match object in REGEX that includes the expressions below works to bypass the GAV block. I would also mention that you need to be on the latest firmware since in older firmware it was failing but the new one work just fine well 7.0.1-5095 since I haven't try the one that was just release a few days ago. Oh and of course you have to have DPI-SSL configured and working for it to work.

    .*(cdn3.struffelproductions.com\/file\/ambientCG\/download\/).*

    .*(ambientCG.com\/a\/).*

    Match object

    App Rule

    Pretty much the REGEX is just doing a partial match, since you cannot do partial matches directly with custom objects, and the app rule is looking for either direction that way you make sure it catches it. Like I said you may be able to narrow it down much more if you want to go through the packet capture but with such a large download it is really time consuming.

    I would imagine that the same thing will work for the AWS S3 scenario. You probably still need to test it and see if there is any other match object needed like it was the case for OP.

Sign In or Register to comment.