Palo Alto Networks Knowledgebase: Tips from the Field: File blocking profile
Tips from the Field: File blocking profile
Created On 02/07/19 23:50 PM - Last Updated 02/07/19 23:50 PM
Ever wonder where to start when configuring file blocking profiles, or if it's even useful to enable in the first place? Some file types, like EXE or PE, seem straightforward. But we sometimes overlook other file types—for example, a friendly .hlp file, a funny screensaver from a friend, or an inconspicuous .lnk file. We'll take a look at a couple of different file types that can be controlled by the file blocking profile so you can decide what's useful to block.
Watch those hlp and lnk file types
The help and link file types are primarily used in the Windows operating system to provide some assistance to the user, but in most cases, there's no reason to download such files from the internet.
Blast from the past with scr
Used mostly for installable screensavers, the scr file format was most popular in the 90s and heavily abused as a transport for malware.
The power of multi-level-encoding
Before PAN-OS 7.0, the Palo Alto Networks firewall was able to decode up to two levels of encoding. Files exceeding this level would be allowed to bypass file blocking. Since PAN-OS 7.0, the maximum level of decoding has been increased to 4.
Examples of encoding levels:
Word document (docx) in a zip file sent by email defines three levels of encoding
Word document (docx) zipped and sent through HTTP chunk encoding and gzip compression defines four levels of encoding
Any files hidden in more levels of encoding are now be blocked using Multi-Level-Encoding.
PE files from unknown category websites
Another consideration—when allowing the download of PE or Portable Executable files from the internet, where do they come from?
If the website is a trusted or known entity providing trustworthy tools, you may want to allow these files to be downloaded. Most malware sites, on the other hand, are either already categorized as a malware site, or have only recently been registered and are in an unknown category.
Setting up a file blocking profile for PE files, in conjunction with a security policy restricting access to unknown, malware, parked, phishing, and private-IP-address categories can help prevent the download of malware while allowing legitimate downloads from trustworthy sites.
Below you can see an example security policy where rule #1 is intended to block filetypes from certain categories, rule #2 will allow downloads from certain categories and rule #3 will be the catchall for all other outbound sessions