Transition File Blocking Profiles Safely to Best Practices
Apply File Blocking profiles to allow rules to protect
against risky file types used in malware campaigns without risking
Use the following guidance to help determine
whether to start with block or alert actions as you define the initial
File Blocking profiles and begin the transition to best practice
The best practice File Blocking profile will likely be
different for different types of applications and for different
areas of the network. For example:
If internal applications
depend on file type transfers that the best practice File Blocking
profile recommends blocking, you need to allow those file types for
those internal applications. Don’t allow those file transfer types
for all applications, allow them only for the necessary internal
For internet-based traffic, take a more restrictive approach
from the start to prevent attackers from delivering malicious files
and to reduce the attack surface.
For data center traffic, take a more restrictive approach
(with the exception of internal applications that depend on file
transfer types that you would otherwise block) to reduce the attack
surface and protect your most valuable assets.
For business-critical applications, start off with the alert
action for all file types.
Monitor the Data Filtering logs (
) to understand the file type
usage before configuring block actions for specific file types.
As you understand which file types your business-critical and internal
custom applications require, transition toward the best practice
File Blocking configuration for the internet gateway or the data center, modified
as necessary to support your business needs.