Blocking EXE files but allowing file names

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Blocking EXE files but allowing file names

L3 Networker

Hi guys,

 

I'm trying to block .exe files, but allow file names for some users.

 

For example, I would like to allow the GoToMeetingLauncher.exe for GoToMeeting webinars, but the links look like the below which means it can't be done. 

 

https://download.citrixonline.com/launcher2/helper?token=e0-qZ0xbknQkdODLP_tA0HpRDCszfG5OkCLe4-4_8La...

 

https://live.paloaltonetworks.com/t5/Management-Articles/Can-Files-be-Blocked-by-Name/ta-p/54157

 

Anyone have an insight as to what they have done before, or what could be done?

 

Kind regards

Jack

10 REPLIES 10

Cyber Elite
Cyber Elite

Create custom URL category.

Add download.citrixonline.com into it.

Allow download of executables (for specific users) from that URL category.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi Raido,

 

Hmm, thanks for your response but this didn't work.

 

I have created the custom category and set it to Alert for the policy that applies to me but when I tri the download again this is still being blocked. It doesn’t seem to override the file block policy. Is there a different way of doing this?

 

Cheers

Jack

You have to have 2 seperate security policies and 2 seperate File Blocking profiles.

Top sec policy will allow download of executables and you have URL category attached to it.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi,

 

I can go to the website and download the launcher fine, it’s other websites that I can’t access anymore (because I set all other categories to Block). In my mind I’m expecting to hit the top policy for downloads only (hence blocking everything else) then hit the regular policy below for all other traffic.

Palo is a "top down ACL" so if you're using all the same parameters except just chaning a profile the rules below the one above should be shadowed and not hit.

 

When you committed did you get a "shadowed rule" warning message?

Yeah so essentially, the match conditions are the same, so the traffic will hit the first rule that it applies to regardless of what file blocking profile you have. 

 

Is there any workaround for this at all? Would it be possible to setup an Untrust to Trust policy from the web server of where you're downloading from, which then has an alternate file blocking profile to allow this specific traffic I'm trying to download an EXE of?

The work around is a roll-up or integration of all match conditions and desired accesses/restirctions for the desired user security group.

Could you decipher that please..

For the sake of arguement:

 

 

Rule 1

 

Trust --> Any IP --> Security Group A --> UnTrust --> Any IP --> Application Web-Browsing --> Application-Default --> Any URL Category  --> Allow  --> URL Profile A  (Block Everything) / File Blocking Profile (Can transfer .pdfs only)

 

 

Rule 2

 

Trust --> Any IP --> Security Group A --> UnTrust --> Any IP --> Application Web-Browsing --> Application-Default --> Any URL Category  --> Allow  --> URL Profile A  (Allow Everything) / File Blocking Profile (Can transfer .pdfs only)

 

 

Rule 1 will shadow rule 2 because it's the same base session match criteria.  The application web-browsing will be allowed but the palo doesn't know which rule should "hit" WRT your URL match criteria.

 

 

Really the easiest way to do what you want is to do as Raido said.

 

1.  Create a Custom URL category (Call it whatever "Meeting") --> Add the URL download.citrixonline.com

2.  Create a File Blocking Profile ("EXE Allow") --> Allow exe files to download

3.  Create Rule

 

 

Trust --> Any IP --> Security Group A --> UnTrust --> Any IP --> Application Web-Browsing --> Application-Default --> "Meeting"  --> Allow  --> NO URL PROFILE / File Blocking Profile "EXE Allow"

 

have this rule be above your "Security Group A" "Web-Browsing" rule.  This above rule will only allow users access to the URL "download.citrixonline.com" and will allow them to download .exe files.

 

 

Hi Brandon,


Thanks for your reply.

 

Adding the download.citrix URL to the category alone didn't resolve the issue, however I believe I have fixed it. In the traffic logs, when accessing the GoToMeeting link I saw an IP address which then after an nslookup resolved to apiglobal.gotomeeting.com. I added this as well to the custom URL category which allowed me to use GoToMeeting and still block EXE files.


Thanks for your help

 

Jack

  • 5450 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!