topic Re: Blocking EXE files but allowing file names in General Topics

Blocking EXE files but allowing file names

Jack_Howells — Mon, 27 Jun 2016 16:18:11 GMT

Hi guys,

I'm trying to block .exe files, but allow file names for some users.

For example, I would like to allow the GoToMeetingLauncher.exe for GoToMeeting webinars, but the links look like the below which means it can't be done.

https://download.citrixonline.com/launcher2/helper?token=e0-qZ0xbknQkdODLP_tA0HpRDCszfG5OkCLe4-4_8LabqVRaLatg9Q4O519wF6GlqPnLvKAVHZz9kXX346UVgmp5gTJaxWPhQZgKI-VAp8hlZX6-AQjQkiwjOQMFgW9z0-9JRcDHvBx31IUAD3a5RPg4vZWzqgmTyt4wN3Q-noL5JMG0ROJk--2QVj_ACF044_X8yv9lbRd8kPJC58Gq0jWtCzE-DLtGHU1xZioBDd6IWLyOm3FbllUjg9Aw4v93px8maTbbN5Y2DuYkSoXE0Mshf85BwSxvxNMP8Pdu5Kq0jzU01CKvkzBs69l8Ux53V9MWLFa7fqWrbyRwh7fjTHl7TXTi4gKqaPZmlL8AM9OD6QA0e18jX1tqH1Ycl2kRVHLIM2GCrTTSRmr60i3cY34dXx82DTk3FHB5NIx4dobWpvepQLFOWbdeO6v_CTeXBtYB1VNiVY1mwT9UhzCt-DE0nSOYGJA7M75AMlIstRfTxmpB-xR&downloadTrigger=restart&renameFile=1

https://live.paloaltonetworks.com/t5/Management-Articles/Can-Files-be-Blocked-by-Name/ta-p/54157

Anyone have an insight as to what they have done before, or what could be done?

Kind regards

Jack

Re: Blocking EXE files but allowing file names

Raido_Rattameister — Mon, 27 Jun 2016 16:31:02 GMT

Create custom URL category.

Add download.citrixonline.com into it.

Allow download of executables (for specific users) from that URL category.

Re: Blocking EXE files but allowing file names

Jack_Howells — Tue, 28 Jun 2016 13:23:36 GMT

Hi Raido,

Hmm, thanks for your response but this didn't work.

I have created the custom category and set it to Alert for the policy that applies to me but when I tri the download again this is still being blocked. It doesn’t seem to override the file block policy. Is there a different way of doing this?

Cheers

Jack

Re: Blocking EXE files but allowing file names

Raido_Rattameister — Tue, 28 Jun 2016 13:31:49 GMT

You have to have 2 seperate security policies and 2 seperate File Blocking profiles.

Top sec policy will allow download of executables and you have URL category attached to it.

Re: Blocking EXE files but allowing file names

Jack_Howells — Wed, 29 Jun 2016 12:43:08 GMT

Hi,

I can go to the website and download the launcher fine, it’s other websites that I can’t access anymore (because I set all other categories to Block). In my mind I’m expecting to hit the top policy for downloads only (hence blocking everything else) then hit the regular policy below for all other traffic.

Re: Blocking EXE files but allowing file names

Brandon_Wertz — Wed, 29 Jun 2016 14:26:12 GMT

Palo is a "top down ACL" so if you're using all the same parameters except just chaning a profile the rules below the one above should be shadowed and not hit.

When you committed did you get a "shadowed rule" warning message?

Re: Blocking EXE files but allowing file names

Jack_Howells — Wed, 29 Jun 2016 15:02:44 GMT

Yeah so essentially, the match conditions are the same, so the traffic will hit the first rule that it applies to regardless of what file blocking profile you have.

Is there any workaround for this at all? Would it be possible to setup an Untrust to Trust policy from the web server of where you're downloading from, which then has an alternate file blocking profile to allow this specific traffic I'm trying to download an EXE of?

Re: Blocking EXE files but allowing file names

Brandon_Wertz — Wed, 29 Jun 2016 15:09:52 GMT

The work around is a roll-up or integration of all match conditions and desired accesses/restirctions for the desired user security group.

Re: Blocking EXE files but allowing file names

Jack_Howells — Wed, 29 Jun 2016 15:35:29 GMT

Could you decipher that please..

Re: Blocking EXE files but allowing file names

Brandon_Wertz — Wed, 29 Jun 2016 16:57:17 GMT

For the sake of arguement:

Rule 1

Trust --> Any IP --> Security Group A --> UnTrust --> Any IP --> Application Web-Browsing --> Application-Default --> Any URL Category --> Allow --> URL Profile A (Block Everything) / File Blocking Profile (Can transfer .pdfs only)

Rule 2

Trust --> Any IP --> Security Group A --> UnTrust --> Any IP --> Application Web-Browsing --> Application-Default --> Any URL Category --> Allow --> URL Profile A (Allow Everything) / File Blocking Profile (Can transfer .pdfs only)

Rule 1 will shadow rule 2 because it's the same base session match criteria. The application web-browsing will be allowed but the palo doesn't know which rule should "hit" WRT your URL match criteria.

Really the easiest way to do what you want is to do as Raido said.

1. Create a Custom URL category (Call it whatever "Meeting") --> Add the URL download.citrixonline.com

2. Create a File Blocking Profile ("EXE Allow") --> Allow exe files to download

3. Create Rule

Trust --> Any IP --> Security Group A --> UnTrust --> Any IP --> Application Web-Browsing --> Application-Default --> "Meeting" --> Allow --> NO URL PROFILE / File Blocking Profile "EXE Allow"

have this rule be above your "Security Group A" "Web-Browsing" rule. This above rule will only allow users access to the URL "download.citrixonline.com" and will allow them to download .exe files.

Re: Blocking EXE files but allowing file names

Jack_Howells — Thu, 30 Jun 2016 10:33:59 GMT

Hi Brandon,

Thanks for your reply.

Adding the download.citrix URL to the category alone didn't resolve the issue, however I believe I have fixed it. In the traffic logs, when accessing the GoToMeeting link I saw an IP address which then after an nslookup resolved to apiglobal.gotomeeting.com. I added this as well to the custom URL category which allowed me to use GoToMeeting and still block EXE files.

Thanks for your help

Jack