03-07-2025 03:45 AM - edited 03-07-2025 03:49 AM
Hi Everyone,
I am unable to see on my Palo Alto Firewall PAN-OS 11.1.4-h13 on Monitor Data Filtering or Unifed when I was downloading an iso which file extension in the iso file is blocked.
Nothing shows up as blocked and the browser stops the downloading at 224mb.
Extensions that are blocked:
7z, bat, cab, chm, class, cpl, encrypted-rar, encrypted-zip, flash, hlp, hta, jar, msi, Multi-
Level-Encoding, ocx, pif, rar, rtf, scr, tar, torrent, vbe, wsf
If I turn off the file extensions blocking, the download works.
File that I want to Download is:
HPE Gen10 Service Pack for ProLiant
Please, can you help me out?
03-08-2025 09:32 PM
Just to verify, when you turn off file-blocking are you solely removing the file-blocking profile and leaving absolutely everything else the same? I've found that sometimes when people say that they're excluding a system from a profile, what they tend to do is remove all profiles from the rule. It might be beneficial in this instance to setup a profile that simply alerts on all files and assign it to a targeted rule for this node for testing purposes. That way you can see exactly what the firewall is recording and what it's able to see when downloading the ISO.
If you're encountering a block the firewall should record it properly, but I wouldn't be all that shocked to see you encountering some 11.1 bug that is causing the firewall to act without recording it properly. You may have to actually capture the traffic
03-11-2025 06:48 AM
Hi BPry,
thanks for your advice, i really didn't think about it.
It is the Anti-Spyware Profile with the feuture Enable cloud inline analysis.
How can i see Anti-Spyware errors / events in Monitoring/Log?
03-13-2025 08:48 AM
It is the Anti-Spyware Profile with the feuture Enable cloud inline analysis.
How can i see Anti-Spyware errors / events in Monitoring/Log?
03-13-2025 02:39 PM
Specifically you would be looking at the threat logs in that event to see what is triggering. Just as a reminder, the unified logs will only search the log types that you have actively selected. It should have traffic, threat, url, data, and wildfire selected by default but that's something that you can modify.
03-14-2025 05:17 AM
Hi BPry,
many thanks for your response.
Unfortunately I can't see in the Monitor threat and unified why it aborts the download.
Attached are the screenshots
Maybe someone would like to try the link:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
