Tips & Tricks: Multi-Level Encoding and the File Blocking Profile

Did you know? Palo Alto Networks firewalls are able to decode up to four levels of encoding—an important feature that allows for extra layers of protection.

What are encoding levels exactly?

Simply put, it's the number of encapsulations. It's much easier to explain this with a few examples:

• A Word document, in a zip file, sent by email equals three levels of encoding
• A Word document, in a zip file, sent through HTTP chunk encoding and gzip compression equals four levels of encoding

This essentially means that if your firewall isn't configured properly, anything that has more than four levels of encoding will bypass the firewall scans and will be allowed through.

You don't want that; anything that has more levels of encoding is suspicious and should be blocked. A simple way to block files that have more than four levels of encoding is by configuring a File Blocking Profile. That being said, not any File Blocking Profile will do. 

Note that the firewall has 2 predefined File Blocking Profiles:

• Basic: Attach this profile to the Security policy rules that allow traffic to and from less sensitive applications to block files that are commonly included in malware attack campaigns or that have no real use case for upload/download. This profile blocks upload and download of PE files ( .scr, .cpl, .dll, .ocx, .pif, .exe) , Java files (.class, .jar), Help files (.chm, .hlp) and other potentially malicious file types, including .vbe, .hta, .wsf, .torrent, .7z, .rar, .bat. Additionally, it prompts users to acknowledge when they attempt to download encrypted-rar or encrypted-zip files. This rule alerts on all other file types to give you complete visibility into all file types coming in and out of your network.
• Strict: Use this stricter profile on the Security policy rules that allow access to your most sensitive applications. This profile blocks the same file types as the other profile, and additionally blocks flash, .tar, multi-level encoding, .cab, .msi, encrypted-rar, and encrypted-zip files.

As mentioned above, the basic profile will not block multi-level encoding—but the strict profile will. 

Predefined profiles (1) showing which filetypes (2) are being blocked (3)

If you think that the strict profile too strict then you can go ahead and create your own custom made profile.  It very easy to create your own file blocking profile.  Simply log into your firewall and go to the Objects tab > Security Profiles > File Blocking Profile > Add as shown below.  Name your profile and start adding your file types with the direction and action you want to apply to it.

Create your own custom made File Blocking Profile

Note: Just having a file blocking profile isn't enough! Make sure to apply your profile to a security policy rule. If you don't, then the profile will just sit there and won't do anything aside from looking pretty and being awesome.

Don't forget to apply your security profile to a security policy rule !

Lastly, don't forget to commit your changes to the firewall 😉.

Thanks for taking time to read this blog.

Don't forget to hit that Like (thumbs up) button and don't forget to subscribe to the LIVEcommunity Blog.

Stay Secure,
Kiwi out!