End-of-Life (EoL)

Set Up File Blocking Profiles

File Blocking Profiles allow you to identify specific file types that you want to want to block or monitor. For most traffic (including traffic on your internal network) you will want to block files that are known to carry threats or that have no real use case for upload/download. Currently, these include batch files, DLLs, Java class files, help files, Windows shortcuts (.lnk), and BitTorrent files. Additionally, to provide drive-by download protection, allow download/upload of executables and archive files (.zip and .rar), but force users to acknowledge that they are transferring a file so that they will notice that the browser is attempting to download something they were not aware of. For policy rules that allow general web browsing, be more strict with your file blocking because the risk of users unknowingly downloading malicious files is much higher. For this type of traffic you will want to attach a more strict file blocking profile that also blocks portable executable (PE) files.
  1. Configure a File Blocking profile for general use.
    1. Select
      Objects
      Security Profiles
      File Blocking
      and click
      Add
      .
    2. Enter a
      Name
      for the file blocking profile, for example general-file-blocking.
    3. Optionally enter a
      Description
      , such as block-risky-apps. Click
      Add
      to define the profile settings.
    4. Enter a
      Name
      , such as block-risky.
    5. Set
      File Types
      to block. For example,
      Add
      the following:
      bat
      ,
      dll
      ,
      jar
      ,
      hlp
      ,
      lnk
      , and
      torrent
      .
    6. Leave the
      Direction
      set to
      both
      .
    7. Set the
      Action
      to
      block
      .
    8. Add
      a second rule and enter a
      Name
      , for example continue exe and archive.
    9. Set
      File Types
      to continue. For example,
      Add
      the following:
      PE
      ,
      zip
      and
      rar
      .
    10. Leave the
      Direction
      set to
      both
      .
    11. Set the
      Action
      to
      block
      .
    12. Click
      OK
      to save the profile.
  2. Configure a File Blocking profile for risky traffic.
    When users are web browsing it is much more likely that they will download a malicious file unintentionally. Therefore, it is important to attach a stricter file blocking policy than you would attach to Security policy rules that allow access to less risk-prone application traffic.
    1. On the
      Objects
      Security Profiles
      File Blocking
      page, select the file blocking profile you just created for general traffic and click
      Clone
      . Select the profile to clone and click
      OK
      .
    2. Select the cloned profile and give it a new
      Name
      , such as strict-block-risky-apps.
    3. Click in the File Types section of the block rule and
      Add
      the
      PE
      file type.
    4. Click in the File Types section of the continue rule, select
      PE
      and click
      Delete
      .
    5. Click
      OK
      to save the profile.
  3. Attach the file blocking profile to the security policies that allow access to content.
    1. Select
      Policies
      Security
      and either select an existing policy or create a new policy as described in Set Up a Basic Security Policy.
    2. Click the
      Actions
      tab within the security policy.
    3. In the Profile Settings section, click the drop-down and select the file blocking profile you created.
      If you don’t see drop-downs for selecting profiles, select
      Profiles
      from the
      Profile Type
      drop-down.
  4. Enable response pages in the management profile for each interface on which you are attaching file blocking profile with a
    continue
    action.
    1. Select
      Network
      Network Profiles
      Interface Mgmt
      and then select an interface profile to edit or click
      Add
      to create a new profile.
    2. Select
      Response Pages
      , as well as any other management services required on the interface.
    3. Click
      OK
      to save the interface management profile.
    4. Select
      Network
      Interfaces
      and select the interface to which to attach the profile.
    5. On the
      Advanced
      Other Info
      tab, select the interface management profile you just created.
    6. Click
      OK
      to save the interface settings.
  5. Save the configuration.
    1. Click
      Commit
      .
  6. Test the file blocking configuration.
    From a client PC in the trust zone of the firewall, attempt to download an.exe file from a website in the Internet zone. Make sure the file is blocked as expected based on the action you defined in the file blocking profile:
    • If you selected
      alert
      as the action, check the data filtering log to make sure you see a log entry for the request.
    • If you selected
      block
      as the action, the File Blocking Block Page response page should display.
    • If you selected the
      continue
      action, the File Blocking Continue Page response page should display. Click
      Continue
      to download the file. The following shows the default File Blocking Continue Page.
    fileblock-RespPg.png

Recommended For You