I'm trying to allow downloads of .exe and PE files for updates but continue to block users from downloading those file types from other sources. Not sure what the best way to do this is.
If I build a file filter with 3 rules like:
1. allow application ms-update
2. block .exe
3. allow any
Are these rules evaluated in sequential order? Or will the block .exe override the allow ms-update?
If I change rule 1 to allow application ms-update + allow .exe
Would those variables (the app and the filetype) be And'ed or Or'd together?
Another way I've tried to do this was to allow the application ms-updates in the firewall prior to URL filtering, but I get warnings that I need web-browsing enabled for the rule to work. If I enable web-browsing in the same firewall rule I start to see browsing passing that rule instead of my service-http rules, although some traffic still gets down to the normal URL rules.
So what's the best way to go about this?
In your file block profile you can add allow download for application MS-Update above you block and you will be able to download the updates. Java may be a little harder as there is not application in the file blocking profile. You may want to contact you SE to submit a feature request to allow Java-updates as an application for file blocking.
You can also make a rule above your current rule with no file block profile allow web-browsing to Sun's servers to get the downloaded files.
If I change rule 1 to allow application ms-update + allow .exe (this would be 'and')
I'm running version 4.0.2.
I continue to have problems with ms-updates being blocked, specificially windows PE files. I see the block in Data Filtering Log, so from the details of the block log I see that it is passing the URL filter with the appropriate file blocking ruleset. I'm not sure if the file blocking builder screen is incomplete or not, but I find it strange that you should be able to sort the rules by name or other rather than the sequential order drag and drop mechanism of the other firewall rule screens. I've named my rules alphebetically and sorted by name (a-z). They appear on the main File Blocking screen in correct order. I've also looked at the Config Audit screen to see if they were ordered properly in the config file. They were, but for some reason even though the log shows that the application type was ms-update and the file was a Win PE file, it was still denied. I've even seperated all file types into their own rule (ie. ms-update+PE, ms-update.exe, ms-update.cab) and combined them. Both with the same result.
Any suggestions or should I start a ticket?
I never could get it to work the way I was thinking in my head, but I did get it to work an easier way.
Rather than allowing at the file level, I am allowing at the app level.
So under Policies->Security as a rule above my user http/https rules I have a rule called updates
In that rule I allow the application adobe-update, java-update, kaspersky, ms-update with the service type http/https
I don't do any file level blocking in that rule.
Under the above updates rule I have my normal user based url filter with http/https which contains the block to .exe types.
The application for the user based filter is any.
The Palo Alto is smart enough to be able to decipher these update applications, and so far all is working appropriately.
Let me know if this helps..
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!