External email attachments

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

External email attachments

L1 Bithead

Hi everyone,

We allow our users to check personal email externally(gmail/yahoo/etc). I'd like to prevent them from downloading attachments from these external emails if possible. Can this be done and how?

 

Reason being, downloading attachments directly to the desktop bypasses our other lines of defense. We'd like to force them to forward said message to a work email address and allow our mail appliances do there job.

 

Edited: I suppose I should have mentioned LOL, we use a Palo Alto Next Firewall for our edge device.

 

Any suggestions...

Thanks,

Mark

1 accepted solution

Accepted Solutions

L3 Networker

short answer: file blocking

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/threat-prevention/set-up-file-blocki...

 

longer answer: especially with email sites, it will require decryption as Palo Alto won't be able to see the traffic otherwise.

View solution in original post

4 REPLIES 4

L3 Networker

short answer: file blocking

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/threat-prevention/set-up-file-blocki...

 

longer answer: especially with email sites, it will require decryption as Palo Alto won't be able to see the traffic otherwise.

Cyber Elite
Cyber Elite

@Crash28,

In a very round-about way you could get something like this to function as is, even without decryption to an extent. You would need to gather the IP addresses for gmail, yahoo, and any other email service (I recommend setting up MineMeld for this) I'm not positive if there is a miner for this already but Google makes it pretty easy to get the IP ranges being used. Once you have the IP ranges you could create a rule with a special file blocking profile to block all of the attachments from that range, then you would just have to notify your employees of the changes. 

 

In general though if your allowing users to check personal email at work I wouldn't really recommend doing something like this, your going to increase support calls by quite a bit since the download is going to fail. If this is a legitimate concern I would just get the okay to block personal email access. 

>In a very round-about way you could get something like this to function as is, even without decryption to an extent. 

 

not trying to be combatitive, but how so? gmail forces https, for example, and with https, all the headers are encrypted. you can't tell someone is requesting an exe resource, let alone analyze the traffic to determine it's a PE (which is what PA is actually doing with file blocking), so I'm at a loss seeing how it'll work?

 

but if I am misunderstanding, please let me know.

Nope that's my bad, I just took another look at what I've configured previously and it wasn't a file block it was a QOS profile that just made it painfully slow to download anything from those sites in an attempt to get people to stop doing it. To trully file block you would need the decryption profile to be setup. That's my bad I thought that we had configured it to block it all-together. 

That being said you could do the custom QOS profile and QOS policy and just make it really inconvient for them in an attempt to get them to stop doing it if you aren't in a position to just decrypt the traffic. 

  • 1 accepted solution
  • 3109 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!