file blocking profile but allow some apps

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

file blocking profile but allow some apps

L2 Linker

Hi 

 

We have recently enabled file blocking on all our web access rule and it works a treat, but looking at the data filtering logs i can see the likes of Google Chrome being blocked.

 

I have played around creating a seperate rule, that is above the main web access rules, which has a seperate file blocking profile that doesnt and assigned this to the new rule that also has a custom URL category to the likes of tools.google and update.googleapis.com (i got this fromt he file blocking and URL logs) but still i cannot seem to update chrome.

 

Has anyone managed to enable file blocking but allow key/specific applications like google chrome, office 365 or goto meeting to be downloaded?

 

Thanks in advance

4 REPLIES 4

Cyber Elite
Cyber Elite

@CRDF18,

Even though you're seeing hits on the new rule, can you verify via the logs that this is the policy being utilized when you attempt to download the updates for Chrome? My initial expection would be that you aren't actually allowing the correct URLs for the update to work properly. 

One important part of this all working, are you doing decryption? 

I am getting the URL (well IP address) that is being blocked from the data filtering log and adding it to the custom URL category applied to the bypass policy but it still doesnt work. 

 

I have even populated the custom URL category with *.getgo.com, launch.getgo.com as well as the IP from the blocked data filering log but no luck. 

 

I even decided to take the IP from data filering log and add it to the destination address in the bypass policy but that doesnt work either, it still hits the original web access rule not the bypass.

 

I am only testing with goto meeting at the moment but i will need it working for chrome and Adobe creative cloud as well... i can see this being a long and difficult process

 

Yes we are using SSL decryption.

Hop into the CLI on the firewall when you're ready to try updating Chrome. Find out your IP as seen by the firewall, then show the sessions that got denied by doing:

> show session all filter source 192.0.2.1 state discard

 

When you find some in discard state, you can then show the details of that session to show you what rule it hit:

> show session id 123456789

 

That should help guide you to the traffic being denied/broken.

Thanks there were no disacards when i looked but in the end ive got the chrome update working, but then there was a knock on effect with normal web sites being blocked because of the url filtering profile i had applied. 

 

My original aim was to have our normal web access policies to 3 different AD groups (so 2 rules per group) which would block exe, msi, pe etc but above these rules i would have one rule that has the 3 different AD groups in that would allow exe, msi and pe files to a select group of sites in a another url filtering profile to update the like of adobe reader/creative cloud, chrome, visual studio etc. 

 

After doing some more tests and a call with PA support, it seems this is not possible, so now im back to square one. What i am now thinking is adding an extra rule for each web access group. At the moment our setup is something like the below.

 

Web access full AD group - zone outside - web access full allowed apps - application-default service - Web access full URL filtering & file blocking profile

Web access full AD group  - zone outside - allowed apps decrypt to other ports - custom ports service - Web access full URL filtering & file blocking profile

 

What i propose to do is the following

 

Web access full AD group - zone outside - any application - any service - web access full URL filtering with approved category & file blocking profile allowing EXE & PE file types

Web access full AD group - zone outside - web access full allowed apps - application-default service - Web access full URL filtering & file blocking profile

Web access full AD group  - zone outside - allowed apps decrypt to other ports - custom ports service - Web access full URL filtering & file blocking profile

 

 

but now i have just typed that out i dont think that will work as the first rule would allow all applications so the other rules wouldnt really come into place

 

I think i need a break from this and come back to it with a fresh head lol

  • 2704 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!