File Blocking Profile Recognises .docx file as a .zip file

If the file blocking profile on the Palo Alto Networks firewall is configured to allow only a .docx file extension and block any other file types, the .docx file running through the firewall will still be hit by a second (bottom) line and thus blocked instead of passed through.

• Any Panos
• Any Firewall
• File blocking configured

• The .docx file type is a format for Microsoft Office documents (2007 and above). It is a combination of XML architecture and ZIP compression for size reduction. When a file is opened, it is automatically unzipped. When the file is saved, it is automatically zipped again. 
  • In the following link, the Wikipedia article explains the creation of the .docx file in more detail:
    • https://en.wikipedia.org/wiki/Office_Open_XML

The .docx file is a zipped file, XML-based. Therefore, when the file blocking profile is configured to block .zip files, the Palo Alto Networks firewall will also block .docx files as it will detect the file format as first zip then docx.

• Allow the ZIP files.
  • When the firewall detects the ZIP file, it will inspect it, then it will identify the files inside it.
  • It will alert docx files and follow the rest of the rules for the other file extensions as configured. 
  • If there is another file other than docx in the zip file, then it's not a docx file, and if you have other extensions in a block rule, it will block the transfer of the entire ZIP or corrupt the ZIP file by interrupting the transfer. 
• Below is a single docx file being transferred: 

• Below is a ZIP file with many other files inside it:

• Below is the same ZIP file with many files inside, being denied as PHP is denied per file blocking rules: