I use data filtering and currently block EXE downloads amoung others. My problem is now my users can't download updates to their malware software. The malware software we use currently doesn't offer a centralized management feature so the updates have to be downloaded from the web. The updates come from a content delivery network so the only way I can allow this without opening a huge hole in my security is by allowing a certain filename. Unfortuantely, I do not know of a way in my PA to allow an EXE downloads via filename while still blocking everything else. Is this possible? Thank you in advance.
There are App-ID's for various software updates. You can allow file downloads for those App-ID's. If your particular malware update is not covered by an App-ID you can either create your own custom one or put in an App-ID request to Palo Alto Networks: http://www.paloaltonetworks.com/researchcenter/submit-an-application/
Could you add a new "allow" policy using a FQDN Address Object for the content delivery network? Do not add a file blocking profile to the new policy. Position it before the policy with the file blocking profile that blocks .EXE files. Traffic would then match the new policy and be allowed. Downloads of .EXE files would still be blocked for traffic not sourced from the content delivery network by the existing policy with the file blocking profile.
I could, and that was my first idea... but since a VAST majority of downloads come this content delivery network, I would essentially be allowing everything rendering my EXE blocking only minimally effective.
I'll check in to Kelly's idea. I'm not familiar with that method, but it sounds like something I should know how to do anyway. Thank you both!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!