You configure File Blocking on a Palo Alto Networks (PAN) Firewall to protect your network and endpoints from Malware infected files (exe, PDF, etc.). This is also used for Data Loss Prevention (DLP) strategy in order to
protect the company's Intellectual Property (IP) and other sensitive files from leaving the network.
Leave the default Name selected > click OK.
Click basic file blocking-1 to edit.
Type a Name (FILE-BLOCK-1).
Under File Types column > click on any file type > Add > type/search pdf.
Click OK.
To apply the File Blocking Security Profile, go to Policies > Security > Actions tab > Profile Setting > File Blocking > select FILE-BLOCK-1 created earlier > click OK.
Click Commit.
I got a File Transfer Blocked error. The PAN Firewall easily detected and blocked the executable file since it's an HTTP traffic.
To view File Blocking logs, go to Monitor > Logs > Data Filtering
Notice the Source Port is 80 (HTTP) and under Details the File Name Tftpd32-4.52-setup.exe was detected.
To configure Data Filtering Security Profile, go to Objects > Security Profiles > Data Filtering > click Add (at the bottom).
Type a Name (DATA-FILTER-1) > under Data Pattern > click Add.
Click New > click on the double arrow icon > Data Pattern.
Type a Name (DATA-PATTERN-CCARD) > Pattern Type: Predefined Pattern.
Under Name > click Add > select Credit Card Numbers. Click OK.
Click OK.
Click OK.
For this lab, I modified the Alert Threshold and Block Threshold to a count of 1 > change Log Security to Critical > click OK.
To apply the Data Filtering Security Profile, go to Policies > Security > click Rule #1 (Allow-Inside-Out) > under Actions > Profile Setting > Data Filtering > select DATA-FILTER-1 created earlier > click OK.
Click Commit.
To test, I tried to download a list of credit card numbers (100 CC Records) from this site.
I got a Data Transfer Blocked error.
To monitor Data Filtering log, go to Monitor > Logs > Data Filtering.
To create
a File Blocking Security Profile, go to Objects > Security Profiles >
File Blocking.
There are
two File Blocking configured by default: basic file blocking and strict file
blocking.
Click on
basic file blocking > Clone (at the bottom).
Leave the default Name selected > click OK.
Click basic file blocking-1 to edit.
Type a Name (FILE-BLOCK-1).
Under File Types column > click on any file type > Add > type/search pdf.
Click OK.
To apply the File Blocking Security Profile, go to Policies > Security > Actions tab > Profile Setting > File Blocking > select FILE-BLOCK-1 created earlier > click OK.
Click Commit.
You'll
need the SSL Decryption policy configured and CA Cert imported to client machine in
order to enforce File Blocking for HTTPS traffic.
I tried
to download an installer for TFTP server which is executable (.exe) file.
I got a File Transfer Blocked error. The PAN Firewall easily detected and blocked the executable file since it's an HTTP traffic.
I tried
to download a PDF file via HTTPS. The PDF file was blocked since the PAN
Firewall performed deep packet inspection (SSL Decryption) and
enforced the File Blocking policy.
To view File Blocking logs, go to Monitor > Logs > Data Filtering
Click the
magnifying glass icon to get a Detailed Log View. Notice the Flags for
Decrypted and under Details the downloaded File Name
cybersecurity-survival-guide-3rd-edition.pdf was detected
Notice the Source Port is 80 (HTTP) and under Details the File Name Tftpd32-4.52-setup.exe was detected.
To configure Data Filtering Security Profile, go to Objects > Security Profiles > Data Filtering > click Add (at the bottom).
Type a Name (DATA-FILTER-1) > under Data Pattern > click Add.
Click New > click on the double arrow icon > Data Pattern.
Type a Name (DATA-PATTERN-CCARD) > Pattern Type: Predefined Pattern.
Under Name > click Add > select Credit Card Numbers. Click OK.
Click OK.
Click OK.
For this lab, I modified the Alert Threshold and Block Threshold to a count of 1 > change Log Security to Critical > click OK.
To apply the Data Filtering Security Profile, go to Policies > Security > click Rule #1 (Allow-Inside-Out) > under Actions > Profile Setting > Data Filtering > select DATA-FILTER-1 created earlier > click OK.
Click Commit.
To test, I tried to download a list of credit card numbers (100 CC Records) from this site.
I got a Data Transfer Blocked error.
To monitor Data Filtering log, go to Monitor > Logs > Data Filtering.
Click the
magnifying glass icon to get a Detailed Log View.
Notice
under Details > Context > it matched the DATA-PATTERN-CCARD rule which is
the Predefined Pattern for US Credit Card Numbers.