File Blocking not recognizing .docx or .xlsx files.

cancel
Showing results for 
Search instead for 
Did you mean: 

File Blocking not recognizing .docx or .xlsx files.

L2 Linker

I just created a new file blocking profile and added xlsx, pdf, docx and multi-level-encoding.  I set the action to alert.  I want to monitor the found traffic prior to implementing a block rule.

 

When I download a PDF file from the Internet, the vent is logged in the Monitor/Data Filtering.

 

When I download a .docx or .xlsx file, it is not logged in  the Monitoring/Data Filtering.

 

What am I missing?

 

Thanks

8 REPLIES 8

Cyber Elite
Cyber Elite

Hi @Networking2017 

Docx and xlsx files are basically zip files, so to see the initial file you should also add zip. But to address your problem, try to add another rule to the fileblocking profile where you log all filetypes. This way you should see in the logs which filetypes you need to add also. 

@Networking2017 do you download the office documents from the same server as the pdf?

No.  Different servers.  I think I need to get decryption working.  That way the file blocking can decrypt and see the attachement correctly.

 

@Networking2017 that would have been my next question - the part about decryption ; )

Thanks for replying.  Do you typically push out the decryption cert using Active Directory or some other method for domain joined computers?

Yes, usually with group policies the certs are pushed to the clients. If you use global protect you can also install a cert this way onto the clients that connect to the portal.

Once I setup decryption, I was able to block the docx and xlsx files.  Thanks.

 

Another question...If I block the file, is there any way to actually retrieve the blocked file like an email filter does?

Paloalto does it's analysis of the traffic atream-based and not with store-and-forward-method (like almost all email gateways operate).

In short, no, unfortunately this is not possible to retrieve the file.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!