cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

File blocking..

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

File blocking..

homicidedart
L3 Networker

‎12-25-2013 12:07 PM

Hi Gents,

I have a Palo Alto 5050 installed between users and my Server Farm.

I configured a security policy to allow access to the File Server, and applied a File type profile to block files such as exe, avi, and FLV.

but the file blocking doesn't work, while the users are still able to put these file types on the server share.

how can I resolve that issue.

Thanks & Regards,

Maher

0 Likes Likes
10 REPLIES 10

Phoenix
L4 Transporter

‎12-25-2013 12:19 PM

Hello homicidedart

To block the different file types we select the the file types and give the direction based on if it is upload, download or both direction and give action as block. Some points to look for,

> Direction should be checked can give both to block both directions.

> Security rule should have action as Allow. Block is the action only on the file-blocking profile.

> If there are more than one rule in the file blocking profile we will have to have this rule in the top or more specific rule in the top and more generic in the bottom.

> Also look at the session id details for this traffic to see details about file blocking / sec rule matching and so on to isolate the cause.

file-block.PNG.png

If all these would not help then flow basic has to be done to analyse at packet level.

Hope this helps !

Thanks

homicidedart
L3 Networker
In response to Phoenix

‎12-25-2013 11:11 PM

Hi Phoenix,

Thanks for your reply, while I see the Configuration you said is the same as mine. I looked at the session ID, and I see nothing about the file.

but in real the file is copied to and from the share directory without any blocking.

How can it be solved.

ft.JPG.jpg

Regards,

Maher

0 Likes Likes

dpalani
L3 Networker
In response to homicidedart

‎12-27-2013 07:38 AM

Which PAN-OS version are you running ? Are you seeing a similar issue if you were to use a different application as in FTP ?

- Deepak

0 Likes Likes

homicidedart
L3 Networker
In response to dpalani

‎12-27-2013 08:02 AM

Hi Deepak,

I'm using PAN-OS V 5.0.9.

Regarding your question, yes. I tried to upload files to the server Via remote desktop and it's uploaded easily. even when I try to upload it to the internet it's blocked.

and I'm using the file type profile for both destinations in the security policy. the same issue happens in the download.

Regards,

Maher

0 Likes Likes

panos
L6 Presenter
In response to homicidedart

‎12-28-2013 05:22 AM

can you give the output of

show rulebase security rules FileServer-Rule

show profiles file-blocking (your profile name)

show session id 536401

homicidedart
L3 Networker
In response to panos

‎12-29-2013 11:32 PM

Hi Panos,

Sorry for late reply,

here you are the Required output

admin@PA-SRV-2# show rulebase security rules FileServer-Rule

FileServer-Rule {

  option {

    disable-server-response-inspection no;

  }

  from any;

  to any;

  source Sukari-Clients;

  destination FileServer-Group;

  source-user any;

  category any;

  application FileServer-Apps;

  service application-default;

  hip-profiles any;

  action allow;

  log-start yes;

  log-end yes;

  negate-source no;

  negate-destination no;

  disabled no;

  profile-setting {

    profiles {

      file-blocking "prevent on file server";

      virus Antivirus-Block;

      spyware Anti-Spyware-Profile;

      vulnerability "Vulnerability Profile";

    }

  }

}

admin@PA-SRV-2# show profiles file-blocking "prevent on file server"

"prevent on file server" {

  rules {

    "Standard users" {

      application any;

      file-type [ apk avi avi-divx avi-xvid bat cab class dll exe flv hta jar mov mp3 mp4 reg rm torrent wmv wsf];

      direction both;

      action block;

    }

  }

}

Regarding the session ID output, I found the output is different from the GUI output

admin@PA-SRV-2> show session id 536401

Session          536401

        c2s flow:

                source:      192.168.102.217 [trust]

                dst:         10.10.50.5

                proto:       17

                sport:       47043           dport:      53

                state:       INIT            type:       FLOW

                src user:    centamin\pan-admin

                dst user:    unknown

        s2c flow:

                source:      10.10.50.5 [untrust]

                dst:         192.168.102.217

                proto:       17

                sport:       53              dport:      47043

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    centamin\pan-admin

        start time                    : Mon Dec 30 09:06:41 2013

        timeout                       : 30 sec

        total byte count(c2s)         : 87

        total byte count(s2c)         : 103

        layer7 packet count(c2s)      : 1

        layer7 packet count(s2c)      : 1

        vsys                          : vsys1

        application                   : dns 

        rule                          : DNS Attack drop

        session to be logged at end   : True

        session in session ager       : False

        session synced from HA peer   : False

        layer7 processing             : enabled

        URL filtering enabled         : False

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/2

        egress interface              : ethernet1/1

        session QoS rule              : N/A (class 4)

So, I tried another one and I found the same thing.

$ Data Filtering output

File types.JPG.jpg

$ Traffic Logging output

Session from the GUI.JPG.jpg

$ CLI output

admin@PA-SRV-2> show session id 3993

Session            3993

        c2s flow:

                source:      192.168.102.217 [trust]

                dst:         10.10.50.5

                proto:       17

                sport:       60918           dport:      53

                state:       INIT            type:       FLOW

                src user:    centamin\pan-admin

                dst user:    unknown

        s2c flow:

                source:      10.10.50.5 [untrust]

                dst:         192.168.102.217

                proto:       17

                sport:       53              dport:      60918

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    centamin\pan-admin

        start time                    : Mon Dec 30 08:52:22 2013

        timeout                       : 30 sec

        total byte count(c2s)         : 93

        total byte count(s2c)         : 447

        layer7 packet count(c2s)      : 1

        layer7 packet count(s2c)      : 1

        vsys                          : vsys1

        application                   : dns 

        rule                          : DNS Attack drop

        session to be logged at end   : True

        session in session ager       : False

        session synced from HA peer   : False

        layer7 processing             : enabled

        URL filtering enabled         : False

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/2

        egress interface              : ethernet1/1

        session QoS rule              : N/A (class 4)

0 Likes Likes

panos
L6 Presenter
In response to homicidedart

‎12-30-2013 12:26 AM

show session id 3993 application is different from monitor ? there is a mismatch here.Also some other info not same.Sessions are different.

clear all sessions and look again...if this is going on then you better open a case.

they should match as I know.something is not stable here.

dpalani
L3 Networker

‎12-30-2013 07:35 AM

Hello,

Based on the behavior it looks like when the file is being transferred through ms-ds-smb the firewall does not detect it.

This looks like an issue with ms-ds-smb decoder, please open up a case with support so that we can address this.

Regards,

Deepak

homicidedart
L3 Networker
In response to panos

‎12-30-2013 07:47 AM

Thanks panos, I tried what you told me. and I got the same result.

I'm gonna open a case up with the Support.

Regards,

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2022 - Palo Alto Networks