Downloading of MP3 is Blocked with File Blocking Profile Configured to Block Uploads
Downloading of MP3 is Blocked with File Blocking Profile Configured to Block Uploads
0
Created On 09/26/18 13:51 PM - Last Modified 07/19/22 23:09 PM
Resolution
Issue
A file blocking profile has been configured to block uploads only. However, the downloading of an MP3 file is considered an upload event in the Palo Alto Networks firewall and is blocked. If a file blocking profile is configured to block downloads only, both upload and download events will be allowed.
Details
An MP3 file can have two signatures:
MPEG-1 Layer 3 file without an ID3 tag or with an ID3v1 tag (which's appended at the end of the file) The ID3v1 tag occupies 128 bytes, beginning with the string TAG 128 bytes from the end of the file
MP3 file with an ID3v2 container
Cause
For most file type signatures, files are detected by the Palo Alto Networks firewall based on various attributes in the file itself, including MIME characteristics and other data. MP3 files however do not have conventions that require the ID3 tags to be at the beginning or end of file, or even be present. This causes fileblocking profiles to rely on the .mp3 extension as the payload may not provide a positive match. Due to the use of the extension rather than inserting the file into the content engine, the software is unable to determine which direction the file is traveling. This restriction applies only to MP3 files as other files will be processed by the content engine and direction can be determined.