03-22-2016 11:24 AM
Block?
Isn't that only an option for a "file blocking" policy?
I thought it was in version 7.0.X where the decoupled fileblocking with WF. So in 7.0.X on WF has it's own policy and the only options I see really are upload/download directionality and where the WF analysis would be.
03-23-2016 01:36 AM
Hi
The forward option in fileblocking (i'm assuming you're on 6.1) is technically an 'allow and log' option in the fileblocking portion and a forward option in the WildFire portion: The file is allowed to pass through and while it goes through the firewall, it collects all the packets that make up the file and once complete sends it off to WildFire for analysis. (if it is found to be malicious a signature is created that is then send to the firewall in the form of an AV signature)
When 'block' is selected as action, the fileblocking will kick in and halt any file that matches the policy, but the file will no longer be forwarded to WildFire (as it has been blocked)
hope this helps
03-23-2016 05:43 AM
Well its seems like you loose the longterm benefit of the information coming back to you in the threat prevention but get an immediate gain of it being blocked. Hard to decide which way to go
03-23-2016 05:44 AM
Yup you can choose block instead of forward
03-23-2016 06:17 AM
Both options have their merits
The block option will block all files of a certain type; filetypes that are unwanted in an organization can simply all be blocked, no matter what the content
The forward option allows for users to download files while you get the files scanned for nasties. Once a nasty has been identified further downloads will be blocked by AV and you will be informed about an infection
03-23-2016 07:28 AM
Very hard to choose though the best practices from PA for os 6.1 suggest blocking for wildfire on the PE. I am using the "free" version of wild fire that only works for PE's
03-23-2016 07:37 AM
the big question: are your users supposed to download executables (PE), which means they could be installing software on their computers
if no: block
if yes: all of them, or just the IT guys?
you can still create policy that blocks PE downloads for most users but allows, and forwards, it for the IT group for example
I'd personally prefer my userbase not to be downloading random software from the internet and provide them with the tools they need through my IT system, but that is not always an option (policy may contradict my wishes, or resource restrictions may prevent this mode of operation)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
