File blocking

@BPry 

Yes, i can see the msi files in the data filtering log. the action is deny but still file is downloading.

@BPry 

@aleksandar.astardzhiev 

When i applied the decryption and create a custom file blocking profile to block any file then it is working perfectly. i am able to block the traffic.

However, once I apply for the specific MSI extension in blocking. i was facing the previous issue. i am not able to find out the reason why its happening because as per compliance policy i need to only block MSI and exe not all files.

Hey @Jafar_Hussain ,

You didn't answer my question - Are you using "allow http partial response" ?

What I am thinking is - when you start downloading a file, firewall will buffer the data in the transfered packets and will build a copy of the transfered file. It will use the information in the file to identify what type it is. I believe it is using the "magic bytes" which are at the beging of the file. So on your first attempt to donwload the file firewall will see allow the first few bytes to be transfered, during that it will detect that the file is msi and will block the connection and effectively block the rest of the file to be downloaded.

Now with http partial response, your browser is able to tell the server that it already has the first N bytes, so intsead of starting from the beginning, it will requests from the server to send the rest. Because of that the firewall will not see the magic bytes and it will not be able to identify the actual file type, which will not match your file blocking profile and therefor allow for the user to resume the download (effectively starting new session downloading the rest of the file).

Disabling this option will tell the firewall to reset any http session that is trying to resume download (telling the server from which byte to start). The problem is that this is configured on global level and it is breaking Microsoft update (and other like SCCM). So a lot of people leave it disabled (meaning allow http partial response).

I would suggest you to try to enable this feature (just for the test) and see if you are still able to resume the download

@aleksandar.astardzhiev 

Thank you so much for the detailed information. when i uncheck the "Allow HTTP partial response" it is working as expected.

As you mention Disabling this option will breaking Microsoft update (and other like SCCM). So a lot of people leave it disabled (meaning allow http partial response).

So any other option to achieve my requirement.

Hey, @Jafar_Hussain ,

Unfortunately I don't believe there is other solution except to disable http patial response.

Not sure if I am not thinking for something else, but I belive there was feature request to be able to override this option per rule... But I am really not sure..If you have contact with sale engineer you can check with him.

@aleksandar.astardzhiev 

Thanks for our suggestion.

I have tried the below option and the issue has been resolved.

I have checked once i click on a resume while downloading the MSI file with by default strict file blocking profile. in the data filtering logs, i can see while resuming downloading the firewall detects the file is Microsoft.

Then i clone to strict file blocking and add a Microsoft file in the profile.

and new file blocking profile attached in security. then i am able to block the msi file downloading.