PAN-OS 5.0 and above
Issue
For PAN-OS 5.0, 6.0, 6.1 and above, if the file blocking profile on the Palo Alto Networks firewall is configured to allow only a .docx file extension and block any other file types, the .docx file running through the firewall will still be hit by a second (bottom) line and thus blocked instead of passed through.
Cause
The .docx file type is a new format for Microsoft Office documents (2007 and above). It is a combination of XML architecture and ZIP compression for size reduction. When a file is opened, it is automatically unzipped. When file is saved, it is automatically zipped again. The following In the following link, Microsoft article explains creation of the .docx file in more detail:
http://office.microsoft.com/en-us/help/introduction-to-new-file-name-extensions-HA010006935.aspx
As Microsoft has indicated, the .docx file is actually a .zip file. Therefore, when the file blocking profile is configured to block .zip files, the Palo Alto Networks firewall will also block .docx files as it will detect the file format as either .zip or .docx.
owner: djoksimovic