File Types and Applications regarding SSL Decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

File Types and Applications regarding SSL Decryption

L3 Networker

Hi All,

I don't have content Filter License.

am I required to configure ssl decryption to block internet applications or file types?

shall I've a content filter license to configure ssl decryption or not?

Also I'm facing other Issues,

to open internet access for users, I open web-browsing application and ssl.

while I'm trying to brows the internet I find YouTube is allowed also. and I can't block it anyway until I remove ssl from the applications. which causes all the HTTPS sites not to work.

another issue is that I configure a policy between the users and my the file server to allow applications ( ms-ds-smb, msrpc, netbios-ns, netbios-ss, netbios-dg, ping) and drop some file types

Like exe files. and nothing happens. So the users can upload and download exe files from the file server.

how all these issues can be resolved.

Regards,

Maher

5 REPLIES 5

L2 Linker

Let’s see if I can answer a few of your questions.

I don't have content Filter License.: You don’t need threat to create rules based on application or service.

Am I required to configure ssl decryption to block internet applications or file types? No, probably best to leave SSL decryption off until you get your rules setup and working. SSL decryption works best with the URL license because you want to exclude URL categories like Financial and Education.

shall I've a content filter license to configure ssl decryption or not? You don’t need threat prevention to do application based rules. You won’t need to add any profiles to your security rules.

to open internet access for users, I open web-browsing application and ssl: If you have the application default set under service in the security policy you will run into issues if you only have web-browsing and SSL added to the rule. It would be best to create an Application Filter (under the Objects tab) and add categories to the custom filter. You can do it based on Risk level or on one of the subcategories or any combination.

while I'm trying to browse the internet I find YouTube is allowed also. and I can't block it anyway until I remove ssl from the applications. which causes all the HTTPS sites not to work. If you want to block YouTube you can create a rule and place it above your web / ssl rule. Add youtube and the application, leave the service set to any and Set the rule to block.

L2 Linker

Let me make sure I understand the last question.

another issue is that I configure a policy between the users and my the file server to allow applications ( ms-ds-smb, msrpc, netbios-ns, netbios-ss, netbios-dg, ping) and drop some file types. So you have configured File Blocking profile under Objects. You have added exe as the file type and set the action to block. You can also set the direction to both if you want to block exe to and from the file server. You then added this profile to the Security Rule you created. With the profile set it should block exe files.  The Action on the security rule should be set to Allow.

Hi Stuart,

Thanks for your keen interest, and your great answers.

I understand well now, but I think I've to apply security profiles to the security rules that allows applications, such as DNS, as there a suspicious DNS attacks on the DNS servers happens, and there more on other applications.

and, regarding the other question, yes. I configured the file server security policy as you explained. but I see no actions on files is been taken will being uploaded or downloaded from the server share.

do you have any solution?

Thanks&Regards,

Maher

can you share your file blocking profile and security rule related to that profile ?

also from monitor logs be sure that traffic matches to the correct rule.

Hi Panos,

here you are the required outtput

admin@PA-SRV-2# show profiles file-blocking "prevent on file server"

"prevent on file server" {

  rules {

    "Standard users" {

      application any;

      file-type [ apk avi avi-divx avi-xvid bat cab class dll exe flv hta jar mov mp3 mp4 reg rm torrent wmv wsf];

      direction both;

      action block;

    }

  }

}

admin@PA-SRV-2# show rulebase security rules FileServer-Rule

FileServer-Rule {

  option {

    disable-server-response-inspection no;

  }

  from any;

  to any;

  source Sukari-Clients;

  destination FileServer-Group;

  source-user any;

  category any;

  application FileServer-Apps;

  service application-default;

  hip-profiles any;

  action allow;

  log-start yes;

  log-end yes;

  negate-source no;

  negate-destination no;

  disabled no;

  profile-setting {

    profiles {

      file-blocking "prevent on file server";

      virus Antivirus-Block;

      spyware Anti-Spyware-Profile;

      vulnerability "Vulnerability Profile";

    }

  }

}

and also the traffic is matching the rule to the file server.

any recommendation?

Appreciated.

  • 2772 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!