Set Up File Blocking

The following workflow shows how to set up a basic File Blocking profile. This example shows how to set up a profile that prompts users to continue before downloading .exe files from websites.
  1. Create the file blocking profile.
    1. Select
      Objects
      Security Profiles
      File Blocking
      and click
      Add
      .
    2. Enter a
      Name
      for the file blocking profile, for example
      Block_EXE
      . Optionally enter a
      Description
      , such as
      Block users from downloading exe files from websites
      .
  2. Configure the file blocking options.
    1. Click
      Add
      to define the profile settings.
    2. Enter a
      Name
      , such as
      BlockEXE
      .
    3. Set the
      Applications
      for filtering, for example web-browsing.
    4. Set
      File Types
      to
      exe
      .
    5. Set the
      Direction
      to
      download
      .
    6. Set the
      Action
      to
      continue
      . By choosing the continue option, users will be prompted with a response page prompting them to click continue before the file will be downloaded.
    7. Click
      OK
      to save the profile.
  3. Apply the file blocking profile to a security policy.
    1. Select
      Policies
      Security
      and either select an existing policy or create a new policy as described in Set Up a Basic Security Policy.
    2. Click the
      Actions
      tab within the policy rule.
    3. In the Profile Settings section, click the drop-down and select the file blocking profile you configured. In this case, the profile name is
      Block_EXE
      .
    4. Commit
      the configuration.
    If no security profiles have been previously defined, select the
    Profile
    Type
    drop-down and select
    Profiles
    . You will then see the list of options to select the security profiles.
  4. To test your file blocking configuration, access a client PC in the trust zone of the firewall and attempt to download an .exe file from a website in the untrust zone. A response page should display. Click
    Continue
    to download the file. You can also set other actions, such as alert or block, which will not provide a continue page to the user. The following shows the default response page for File Blocking:
    fileblock-RespPg.png
  5. (Optional) Define custom file blocking response pages (
    Device
    Response Pages
    ). This allows you to provide more information to users when they see a response page. You can include information such as company policy information and contact information for a Helpdesk.
    When you create a file blocking profile with the action continue, you can only choose the application web-browsing. If you choose any other application, traffic that matches the security policy will not flow through the firewall due to the fact that the users will not be prompted with a continue page. Also, if the website uses HTTPS, you will need to have a decryption policy in place.
    You may want to check your logs to confirm what application is being used when testing this feature. For example, if you are using Microsoft SharePoint to download files, even though you are using a web-browser to access the site, the application is actually
    sharepoint-base
    , or
    sharepoint-document
    . You may want to set the application type to Any for testing.

Related Documentation