Transition File Blocking Profiles Safely to Best Practices

Apply File Blocking profiles to allow rules to protect against risky file types used in malware campaigns without risking application availability.
Use the following guidance to help determine whether to start with block or alert actions as you define the initial File Blocking profiles and begin the transition to best practice profiles.
  • The best practice File Blocking profile will likely be different for different types of applications and for different areas of the network. For example:
    • If internal applications depend on file type transfers that the best practice File Blocking profile recommends blocking, you need to allow those file types for those internal applications. Don’t allow those file transfer types for all applications, allow them only for the necessary internal applications.
    • For internet-based traffic, take a more restrictive approach from the start to prevent attackers from delivering malicious files and to reduce the attack surface.
    • For data center traffic, take a more restrictive approach (with the exception of internal applications that depend on file transfer types that you would otherwise block) to reduce the attack surface and protect your most valuable assets.
  • For business-critical applications, start off with the alert action for all file types.
Monitor the Data Filtering logs (MonitorLogsData Filtering) to understand the file type usage before configuring block actions for specific file types. As you understand which file types your business-critical and internal custom applications require, transition toward the best practice File Blocking configuration for the internet gateway or the data center, modified as necessary to support your business needs.

Related Documentation