The following workflow shows how to set up a basic File Blocking profile. This example shows how to set up a profile that prompts users to continue before downloading .exe files from websites.
- Create the file blocking profile.
- Selectand clickObjectsSecurity ProfilesFile BlockingAdd.
- Enter aNamefor the file blocking profile, for exampleBlock_EXE. Optionally enter aDescription, such asBlock users from downloading exe files from websites.
- Configure the file blocking options.
- ClickAddto define the profile settings.
- Enter aName, such asBlockEXE.
- Set theApplicationsfor filtering, for example web-browsing.
- SetFile Typestoexe.
- Set theDirectiontodownload.
- Set theActiontocontinue. By choosing the continue option, users will be prompted with a response page prompting them to click continue before the file will be downloaded.
- ClickOKto save the profile.
- Apply the file blocking profile to a security policy.
If no security profiles have been previously defined, select theProfileTypedrop-down and selectProfiles. You will then see the list of options to select the security profiles.
- Selectand either select an existing policy or create a new policy as described in Set Up a Basic Security Policy.PoliciesSecurity
- Click theActionstab within the policy rule.
- In the Profile Settings section, click the drop-down and select the file blocking profile you configured. In this case, the profile name isBlock_EXE.
- Committhe configuration.
- To test your file blocking configuration, access a client PC in the trust zone of the firewall and attempt to download an .exe file from a website in the untrust zone. A response page should display. ClickContinueto download the file. You can also set other actions, such as alert or block, which will not provide a continue page to the user. The following shows the default response page for File Blocking:
- (Optional) Define custom file blocking response pages (). This allows you to provide more information to users when they see a response page. You can include information such as company policy information and contact information for a Helpdesk.DeviceResponse PagesWhen you create a file blocking profile with the action continue, you can only choose the application web-browsing. If you choose any other application, traffic that matches the security policy will not flow through the firewall due to the fact that the users will not be prompted with a continue page. Also, if the website uses HTTPS, you will need to have a decryption policy in place.You may want to check your logs to confirm what application is being used when testing this feature. For example, if you are using Microsoft SharePoint to download files, even though you are using a web-browser to access the site, the application is actuallysharepoint-base, orsharepoint-document. You may want to set the application type to Any for testing.