This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Data copying over Global protect VPN

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Data copying over Global protect VPN

Jafar_Hussain
L4 Transporter

‎02-14-2021 09:46 PM

Hello,

 

I have one query:-

If, I am connected with GP VPN and. I want to prevent the users can not copy files or data from the shared folder and server.

is it possible?

0 Likes Likes
5 REPLIES 5

reaper
Cyber Elite
Cyber Elite

‎02-15-2021 04:33 AM

hi @Jafar_Hussain 

 

yes this is possible in multiple ways:

 

you can restrict access via security rules or security profiles:

  • in the security rules you could block access to a server completely (block rule),
  • or only allow certain applications. some applications are even split up in file sharing 'child' applications and other functionality, so you could allow some functionality but block file transfers
  • additionally you can add file blocking profiles that prevent some or all filetypes from being transmitted in one direction or both: you could set up a security rule that allows a file transfer application, but then add a security profile (file blocking profile) that only allows uploads and blocks downloads
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Jafar_Hussain
L4 Transporter
In response to reaper

‎02-15-2021 04:52 AM

@reaper 

Thanks for the information.

First of all, i can not block completely server access. i need to block only copy files from the server or to the server.

I have tried to block the copy file by the file blocking profile but still i am able to copy file via VPN.

Below is the configuration description that I already tried.

 

File blocking profile:-

 

Jafar_Hussain_0-1613393336891.png

 

 

Security rule:-

 

Source zone - GP zone, inside zone

user - any

Source address Address - Any

Destination Zone - GP zone, Inside zone

Application - ms-rdp

Service - Any

Action - Allow

Profile - File blocking test

 

This scenario i tried but unable to block.

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to Jafar_Hussain

‎02-15-2021 05:13 AM

ah yes RDP

Microsoft put in some nifty (and prorietary) encryption that prevents the firewall from blocking files being copied

you can, however, control which actions are allowed by users in the RDP configuration tself on the server, so you can push out Global Policies that prevent files from being copied when users are connected via RDP (and have users use SMB instead, which you can control)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Jafar_Hussain
L4 Transporter
In response to reaper

‎02-15-2021 05:23 AM

@reaper 

As per my understanding, you are saying we need to block only smb application from the Paloalto?

Mainly, we need to prevent users from copying files from shared folders to their systems when they access through VPN. Also, i want to know, how to do that for access over RDP.

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to Jafar_Hussain

‎02-15-2021 06:30 AM

no: you can't block file transfer via RDP in the firewall because microsoft built in an encryption that can't be deciphered by the firewall

 

it IS possible to disable filetransfer through RDP via GPO :

 

https://social.technet.microsoft.com/Forums/en-US/f07b2557-27fd-484f-9a62-635057959214/disable-file-...

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes
  • 4169 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks