topic External email attachments in General Topics

External email attachments

Crash28 — Thu, 02 Mar 2017 21:37:09 GMT

Hi everyone,

We allow our users to check personal email externally(gmail/yahoo/etc). I'd like to prevent them from downloading attachments from these external emails if possible. Can this be done and how?

Reason being, downloading attachments directly to the desktop bypasses our other lines of defense. We'd like to force them to forward said message to a work email address and allow our mail appliances do there job.

Edited: I suppose I should have mentioned LOL, we use a Palo Alto Next Firewall for our edge device.

Any suggestions...

Thanks,

Mark

Re: External email attachments

bradk14 — Fri, 03 Mar 2017 02:44:26 GMT

short answer: file blocking

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/threat-prevention/set-up-file-blocking

longer answer: especially with email sites, it will require decryption as Palo Alto won't be able to see the traffic otherwise.

Re: External email attachments

BPry — Fri, 03 Mar 2017 14:18:59 GMT

@Crash28,

In a very round-about way you could get something like this to function as is, even without decryption to an extent. You would need to gather the IP addresses for gmail, yahoo, and any other email service (I recommend setting up MineMeld for this) I'm not positive if there is a miner for this already but Google makes it pretty easy to get the IP ranges being used. Once you have the IP ranges you could create a rule with a special file blocking profile to block all of the attachments from that range, then you would just have to notify your employees of the changes.

In general though if your allowing users to check personal email at work I wouldn't really recommend doing something like this, your going to increase support calls by quite a bit since the download is going to fail. If this is a legitimate concern I would just get the okay to block personal email access.

Re: External email attachments

bradk14 — Fri, 03 Mar 2017 15:01:40 GMT

>In a very round-about way you could get something like this to function as is, even without decryption to an extent.

not trying to be combatitive, but how so? gmail forces https, for example, and with https, all the headers are encrypted. you can't tell someone is requesting an exe resource, let alone analyze the traffic to determine it's a PE (which is what PA is actually doing with file blocking), so I'm at a loss seeing how it'll work?

but if I am misunderstanding, please let me know.

Re: External email attachments

BPry — Fri, 03 Mar 2017 17:32:31 GMT

Nope that's my bad, I just took another look at what I've configured previously and it wasn't a file block it was a QOS profile that just made it painfully slow to download anything from those sites in an attempt to get people to stop doing it. To trully file block you would need the decryption profile to be setup. That's my bad I thought that we had configured it to block it all-together.

That being said you could do the custom QOS profile and QOS policy and just make it really inconvient for them in an attempt to get them to stop doing it if you aren't in a position to just decrypt the traffic.