Using file blocking and wildfire profiles together

Reply
L2 Linker

Using file blocking and wildfire profiles together

Hi Guys,

 

Please can someone explain me why we would use the file blocking profile as well as the wildfire profile on the same security rule.

What i understand is that once the file is blocked then no need to send it for the wildfire analysis..Please correct me.

 

Now what will happen if the file is allowed,will it be sent for analysis and meanwhile what will happen,will the user recieve the file or it wait for the verdict and the required action is taken.

 

Thanks

L7 Applicator

Re: Using file blocking and wildfire profiles together

I think you are confusing two different things, and not really aiming for a best practice here. 

1) File Blocking would generally be used if you want to block a type of file completely. No need for Wildfire to check a PE file if you are blocking PE files through file-blocking on that specific rule. 

2) Wildfire will analyze the files hash and perform a hash check with Wildfire. If the file is already known it will take the known action, if the hash isn't known then it will forward the file to be analyzed. 

 

If you are blocking the files that WildFire can perform analysis on, I'm not sure why you would include a WildFire policy on that. The files are already going to get blocked, why would you need WildFire at that point?

Where WildFire comes in handy is if you have a business need to allow a certain function, such as MS Office documents, you can block anything that is known bad. Even if it does make it to WildFire and the user gets the document, WildFire will provide you an alert and tell you that the file was allowed, who it was destined for, and what exactly it did. So you can quickly tell your helpdesk that such and such got installed, here's what it did, and here's how to get rid of it. 

L2 Linker

Re: Using file blocking and wildfire profiles together

Hi BPry,

 

Thanks a lot for your response,kindly can you please clarify further the below.

2) Wildfire will analyze the files hash and perform a hash check with Wildfire. If the file is already known it will take the known action, if the hash isn't known then it will forward the file to be analyzed. (What will happen to the unknown file while we wait for the results,will it be delivered to the user..?.)

 

So to understand and make it clear for myself is that its not recommended to have file blocking and wildfire profile at the sametime on security rule or it depends upon u r requirement.May they can be applied in a scenario where we want to block some files unsing FB profile and allow some files but only after WF analysis.

 

Thanks

 

L7 Applicator

Re: Using file blocking and wildfire profiles together

Okay so this really depends on what your policy is actually going to look like. Say for instance I have a basic rule that looks like this. 

LTSB-Users {
  option {
    disable-server-response-inspection no;
  }
  from inside;
  to outside;
  source 10.191.0.0/16;
  destination any;
  source-user cn=ltsb-users,ou=groups,ou=ltsb,dc=wisleg,dc=root,dc=local;
  category any;
  application any;
  service [ quic service-http service-https];
  hip-profiles any;
  log-start yes;
  log-end yes;
  negate-source no;
  negate-destination no;
  action allow;
  disabled no;
  tag [ "User Focused" INSIDE];
  description "Allow Web browsing to anywhere";
  profile-setting {
    group LTSB-Profile;
  }
  log-setting Solarwinds-Email;

So that rule could potentially allow all any files to be download, what I might want to do is apply a file-blocking profile that says they can't download things like jar, apk, flash, and the like. However, I still need to allow these users to download ms-office, pdf, pe and the like. In this scenario I actually would have a file-blocking profile assigned for the files that I know I don't want them to download, but then I would assign a WildFire Analysis profile so that it can catch everything else that is still allowed to pass through that policy. 

L2 Linker

Re: Using file blocking and wildfire profiles together

Hi BPry,

 

Thanks for the response and i really appreciate your efforts.

So when and how the wildfire action will be taken as in new version the wildfire action has been removed from the file blocking profile.

 

Another question with regards to file blocking is how can we block files accessed to/from shared folders in windows.

Today i applied a file blocking profile to a server n client and blocked .xls,exe etc but the files were able to accessed,please can u guide me in this.

L7 Applicator

Re: Using file blocking and wildfire profiles together

@mahmoodm,

Look in the AntiVirus profile, you'll find WildFire action there. 

 

Does your firewall actively see the traffic from your server to the client? 

L7 Applicator

Re: Using file blocking and wildfire profiles together

WildFire 'action' in regards to files being uploaded works in tandem with file blocking profile: any filles that are blocked in the same security policy as the WildFire profile will not be uploaded. Uploads can only performed on extensions that are allowed to pass through the firewall

 

 

L2 Linker

Re: Using file blocking and wildfire profiles together

Hi,

I cans see sometimes n sometimes not,i am not sure y this is happening.

I think when i access the shared folder on the server n try to copy any file from my pc into the shared folder i am assuming that the FB rules should take action as defined but this is not happening not sure why.

 

Thanks

L7 Applicator

Re: Using file blocking and wildfire profiles together

@mahmoodm,

It sounds like you may have interzone communication, the firewall will only take action on intrazone communication; in most scenarios interzone traffic never passes through your firewall. 

L2 Linker

Re: Using file blocking and wildfire profiles together

Hi,

No the traffic is between user zone and server zone,but still the file blocking doesnt work.

Please confrim can we block files transfer between the systems which are using SMB because i read today that SMB3 is encrypted hence PA is not able to identify the fiiles.

 

Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!