Cloud Managed

Create the file blocking profile.
Select
Manage
Configuration
NGFW and
Prisma Access
Security Services
File Blocking
and
Add Profile
.
Enter a
Name
for the file blocking profile such as
Block_EXE
.
(
Optional
) Enter a
Description
, such as
Block users from downloading exe files from websites
.
Configure the file blocking options.
Add Rule
and define a rule for the profile.
Enter a
Name
for the rule, such as
BlockEXE
.
Select
Any
or specify one or more specific
Applications
for filtering, such as
web-browsing
.
Only web browsers can display the response page (continue prompt) that allows users to confirm their Choosing any other application results in blocked traffic for those applications because there is no prompt displayed to allow users to continue.
Select
Any
or specify one or more specific
File Types
, such as
exe
.
Specify the
Direction
, such as
Download
.
Specify the
Action
(
alert
,
block
, or
continue
).
For example, select
continue
to prompt users for confirmation before they are allowed to download an executable (.exe) file. Alternatively, you could
block
the specified files or you could configure your environment to simply trigger an
alert
when a user downloads an executable file.
If a server sends an HTTP response header and the contents of a file in different packets, the file is blocked even if the action for that file type is
continue
.
Select
Save
to save the profile.
Create a security profile group and add the File Blocking profile created in step 2 to it.
Apply the file blocking profile to a security rule.
Select
Manage
Configuration
NGFW and
Prisma Access
Security Services
Security Policy
and either select an existing security rule or
Add Rule
a new rule as described in Create a Security Policy Rule.
On the
Actions
tab, select the file blocking profile you configured in the previous step. In this example, the profile name is
Block_EXE
.
Push Config
.
To test your file blocking configuration, access an endpoint PC in the trust zone and attempt to download an executable file from a website in the untrust zone; a response page should display. Click
Continue
to confirm that you can download the file. You can also set other actions, such as
alert
or
block
, which don't provide an option for the user to continue the download. The following shows the default response page for File Blocking:

(
Optional
) Define custom file blocking response pages (
Manage
Configuration
NGFW and
Prisma Access
Security Services
File Blocking
Response Pages
). This allows you to provide more information to users when they see a response page. You can include information such as company policy information and contact information for a Helpdesk.
When you create a file blocking profile with the
continue
action, you can choose only the
web-browsing
application. If you choose any other application, traffic that matches the security policy won't flow through because users are not prompted with an option to continue. Additionally, you need to configure and enable a decryption policy for HTTPS websites.
Check your logs to determine the application used when you test this feature. For example, if you're using Microsoft SharePoint to download files, even though you're using a web-browser to access the site, the application is actually
sharepoint-base
, or
sharepoint-document
. (It can help to set the application type to
Any
for testing.)