06-25-2020 02:14 AM - edited 06-25-2020 02:32 AM
Hi there!
I have the problem that the file blocking no longer works properly at the chrome browser.
The fileblocking profile was configured and appended to the rule, but I can still download msi files. PANOS 9.1.0
Does anyone have suggestions how i can fix this? 🙂
06-25-2020 02:32 AM
Hi @Chris.Ka ,
Is the traffic decrypted correctly ?
Cheers,
-Kiwi.
06-25-2020 02:40 AM
Thanks for your reply.
I think the traffic is decrypted correctly, because the certificate comes from our PA-820.
06-25-2020 04:22 AM
Hi @Chris.Ka ,
Check your traffic sessions to make sure it's being decrypted or not:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/verify-decryption
Anything in the threat log ?
In case the file is identified as another file type you should see it in the threat log thanks to the alert action you have configured ... that said, I'm leaning more towards a decryption issue.
Cheers,
-Kiwi.
06-28-2020 11:28 PM - edited 06-28-2020 11:34 PM
Hi,
After a few tests I found that the msi file has been successfull blocked...But when I click the retry-button in Chrome Downloads, the rest of the file downloading. Is there a workaround for this?
06-30-2020 10:45 PM
Hello,
Chrome sometimes using tricky quick protocol so in firewall appliaction as seen "quick" in firewall logs. Do you have any chance to try this.
For Security Rule;
From a Test host to internet block "quick" so chrome cannot change its behaviour.
For Decryption Rule;
From a test host to internet decrypt all traffic.
*I am using TCP and UDP 443 on decryption policies.
Then analyze log maybe this method can give a clue about why msi file not blocked by firewall.
*before testing be sure, there are no active connection exist from test host to internet, monitor tab>session browser if there is any kill them all.
Have a nice day.
07-02-2020 05:28 AM
Hi,
Quic is already blocked (see screenshot in my first post) and the traffic is decrypted successfully. 😕
My PA-820 doesn't recognize the resume-download as an msi file.
I think this issue has occurred since the update to 9.0 a few months ago.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
