- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-02-2017 01:06 PM - edited 03-02-2017 01:37 PM
Hi everyone,
We allow our users to check personal email externally(gmail/yahoo/etc). I'd like to prevent them from downloading attachments from these external emails if possible. Can this be done and how?
Reason being, downloading attachments directly to the desktop bypasses our other lines of defense. We'd like to force them to forward said message to a work email address and allow our mail appliances do there job.
Edited: I suppose I should have mentioned LOL, we use a Palo Alto Next Firewall for our edge device.
Any suggestions...
Thanks,
Mark
03-02-2017 06:44 PM
short answer: file blocking
longer answer: especially with email sites, it will require decryption as Palo Alto won't be able to see the traffic otherwise.
03-02-2017 06:44 PM
short answer: file blocking
longer answer: especially with email sites, it will require decryption as Palo Alto won't be able to see the traffic otherwise.
03-03-2017 06:18 AM
In a very round-about way you could get something like this to function as is, even without decryption to an extent. You would need to gather the IP addresses for gmail, yahoo, and any other email service (I recommend setting up MineMeld for this) I'm not positive if there is a miner for this already but Google makes it pretty easy to get the IP ranges being used. Once you have the IP ranges you could create a rule with a special file blocking profile to block all of the attachments from that range, then you would just have to notify your employees of the changes.
In general though if your allowing users to check personal email at work I wouldn't really recommend doing something like this, your going to increase support calls by quite a bit since the download is going to fail. If this is a legitimate concern I would just get the okay to block personal email access.
03-03-2017 07:01 AM
>In a very round-about way you could get something like this to function as is, even without decryption to an extent.
not trying to be combatitive, but how so? gmail forces https, for example, and with https, all the headers are encrypted. you can't tell someone is requesting an exe resource, let alone analyze the traffic to determine it's a PE (which is what PA is actually doing with file blocking), so I'm at a loss seeing how it'll work?
but if I am misunderstanding, please let me know.
03-03-2017 09:32 AM
Nope that's my bad, I just took another look at what I've configured previously and it wasn't a file block it was a QOS profile that just made it painfully slow to download anything from those sites in an attempt to get people to stop doing it. To trully file block you would need the decryption profile to be setup. That's my bad I thought that we had configured it to block it all-together.
That being said you could do the custom QOS profile and QOS policy and just make it really inconvient for them in an attempt to get them to stop doing it if you aren't in a position to just decrypt the traffic.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!