https://live.paloaltonetworks.com/t5/general-topics/data-copying-over-global-protect-vpn/m-p/385949#M90186 <P>ah yes RDP</P><P>Microsoft put in some nifty (and prorietary) encryption that prevents the firewall from blocking files being copied</P><P>you can, however, control which actions are allowed by users in the RDP configuration tself on the server, so you can push out Global Policies that prevent files from being copied when users are connected via RDP (and have users use SMB instead, which you can control)</P> Mon, 15 Feb 2021 13:13:30 GMT reaper 2021-02-15T13:13:30Z https://live.paloaltonetworks.com/t5/general-topics/data-copying-over-global-protect-vpn/m-p/385853#M90173 <P>Hello,</P><P>&nbsp;</P><P>I have one query:-</P><P>If, I am connected with GP VPN and. I want to prevent the users can not copy files or data from the shared folder and server.</P><P>is it possible?</P> Mon, 15 Feb 2021 05:46:53 GMT https://live.paloaltonetworks.com/t5/general-topics/data-copying-over-global-protect-vpn/m-p/385853#M90173 Jafar_Hussain 2021-02-15T05:46:53Z https://live.paloaltonetworks.com/t5/general-topics/data-copying-over-global-protect-vpn/m-p/385932#M90181 <P>hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/124013">@Jafar_Hussain</a>&nbsp;</P><P>&nbsp;</P><P>yes this is possible in multiple ways:</P><P>&nbsp;</P><P>you can restrict access via security rules or security profiles:</P><UL><LI>in the security rules you could block access to a server completely (block rule),</LI><LI>or only allow certain applications. some applications are even split up in file sharing 'child' applications and other functionality, so you could allow some functionality but block file transfers</LI><LI>additionally you can add file blocking profiles that prevent some or all filetypes from being transmitted in one direction or both: you could set up a security rule that allows a file transfer application, but then add a security profile (file blocking profile) that only allows uploads and blocks downloads</LI></UL> Mon, 15 Feb 2021 12:33:56 GMT https://live.paloaltonetworks.com/t5/general-topics/data-copying-over-global-protect-vpn/m-p/385932#M90181 reaper 2021-02-15T12:33:56Z https://live.paloaltonetworks.com/t5/general-topics/data-copying-over-global-protect-vpn/m-p/385944#M90184 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;</P><P>Thanks for the information.</P><P>First of all, i can not block completely server access. i need to block only copy files from the server or to the server.</P><P>I have tried to block the copy file by the file blocking profile but still i am able to copy file via VPN.</P><P>Below is the configuration description that I already tried.</P><P>&nbsp;</P><P>File blocking profile:-</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Jafar_Hussain_0-1613393336891.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29932i5876BFE46E1B9284/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Jafar_Hussain_0-1613393336891.png" alt="Jafar_Hussain_0-1613393336891.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Security rule:-</P><P>&nbsp;</P><P>Source zone - GP zone, inside zone</P><P>user - any</P><P>Source address Address - Any</P><P>Destination Zone - GP zone, Inside zone</P><P>Application - ms-rdp</P><P>Service - Any</P><P>Action - Allow</P><P>Profile - File blocking test</P><P>&nbsp;</P><P>This scenario i tried but unable to block.</P> Mon, 15 Feb 2021 12:52:51 GMT https://live.paloaltonetworks.com/t5/general-topics/data-copying-over-global-protect-vpn/m-p/385944#M90184 Jafar_Hussain 2021-02-15T12:52:51Z https://live.paloaltonetworks.com/t5/general-topics/data-copying-over-global-protect-vpn/m-p/385949#M90186 <P>ah yes RDP</P><P>Microsoft put in some nifty (and prorietary) encryption that prevents the firewall from blocking files being copied</P><P>you can, however, control which actions are allowed by users in the RDP configuration tself on the server, so you can push out Global Policies that prevent files from being copied when users are connected via RDP (and have users use SMB instead, which you can control)</P> Mon, 15 Feb 2021 13:13:30 GMT https://live.paloaltonetworks.com/t5/general-topics/data-copying-over-global-protect-vpn/m-p/385949#M90186 reaper 2021-02-15T13:13:30Z https://live.paloaltonetworks.com/t5/general-topics/data-copying-over-global-protect-vpn/m-p/385950#M90187 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;</P><P>As per my understanding, you are saying we need to block only smb application from the Paloalto?</P><P>Mainly, we need to prevent users from copying files from shared folders to their systems when they access through VPN. Also, i want to know, how to do that for access over RDP.</P> Mon, 15 Feb 2021 13:23:05 GMT https://live.paloaltonetworks.com/t5/general-topics/data-copying-over-global-protect-vpn/m-p/385950#M90187 Jafar_Hussain 2021-02-15T13:23:05Z https://live.paloaltonetworks.com/t5/general-topics/data-copying-over-global-protect-vpn/m-p/385960#M90189 <P>no: you can't block file transfer via RDP in the firewall because microsoft built in an encryption that can't be deciphered by the firewall</P><P>&nbsp;</P><P>it IS possible to disable filetransfer through RDP via GPO :</P><P>&nbsp;</P><P><A href="https://social.technet.microsoft.com/Forums/en-US/f07b2557-27fd-484f-9a62-635057959214/disable-file-transfercopy-paste-for-rds?forum=winserverTS" target="_blank">https://social.technet.microsoft.com/Forums/en-US/f07b2557-27fd-484f-9a62-635057959214/disable-file-transfercopy-paste-for-rds?forum=winserverTS</A></P><P>&nbsp;</P> Mon, 15 Feb 2021 14:30:58 GMT https://live.paloaltonetworks.com/t5/general-topics/data-copying-over-global-protect-vpn/m-p/385960#M90189 reaper 2021-02-15T14:30:58Z