Web: Example for Configuring File Blocking
File blocking is configured on an enterprise's gateway to reduce the risks of virus infections and prevent information leaks.
Networking Requirements
As shown in Figure 1, the FW is deployed at the network border of the enterprise as a security gateway. In addition to maintaining normal network operation, the networking solution must meet the following requirements:
-
The FW prevents employees from uploading document files, code files (such as C, CPP, VBS and JAVA files), and compressed files to the intranet server or the Internet.
Reduce the risks of virus infections.
The FW prohibits employees from downloading executable files from the Internet and prevents users on the Internet from uploading executable files to the intranet server.
Prevent non-work-related downloads.
The FW prevents non-work-related file downloads from the Internet to ensure high productivity.
Data Planning
Users in this example are already added to the FW, and the authentication configuration is complete.
Item |
Data |
Description |
|---|---|---|
policy_sec_user1 |
|
Security policy policy_sec_user1 allows employees to access the Internet and references file blocking profile profile_file_user1 to prohibit employees from uploading document files, code files, and compressed files to the Internet and downloading executable files and videos from the Internet. |
policy_sec_user2 |
|
Security policy policy_sec_user2 allows employees to access the intranet server and references file blocking profile profile_file_user2 to prohibit employees from uploading document files, code files, and compressed files to the intranet server. |
policy_sec_internet |
|
Security policy policy_sec_internet allows Internet users to access the intranet server and references file blocking profile profile_file_internet to prevent Internet users from uploading executable files to the intranet server. |
profile_file_user1 |
|
rule1 in file blocking profile profile_file_user1 prohibits the upload of document files, code files, and compressed files. |
|
rule2 in file blocking profile profile_file_user1 prohibits the download of executable files, videos, and audios. |
|
profile_file_user2 |
|
rule1 in file blocking profile profile_file_user2 prohibits the upload of document files, code files, and compressed files. |
profile_file_internet |
|
rule1 in file blocking profile profile_file_internet prohibits the upload of executable files. |
Configuration Roadmap
- Set the interface IP address and add the interface to a security zone.
- Create a file blocking profile.
- Configure security policies and IP connectivity and reference file blocking profiles to filter files.
Procedure
- Set the interface IP address and add the interface to a
security zone.
- Click
for GE0/0/1 and set the
parameters as follows:
Zone
untrust
IPv4
IP Address
1.1.1.1/24
- Click
- Create a file blocking profile.
- Choose .
- Create file blocking profile profile_file_user1 and set the parameters as follows:
- Create profile_file_user2 by referring to the
preceding steps and set the parameters as follows:
- Create profile_file_internet by referring to
the preceding steps and set the parameters as follows:
- Choose .
- Configure security policies and reference profiles.
- Click Save on the upper right of the web page, and click OK in the dialog box that is displayed.
- Click Commit on the upper right of the web page, and click OK in the dialog box that is displayed.
Verification
- If employees on the intranet can access the Internet and the intranet server, but they can neither upload document files, code files, or compressed files, nor download executable files or videos, profiles policy_sec_user1 and policy_sec_user2 are successfully configured.
- If Internet users can access the intranet server but cannot upload executable files to the intranet server, profile policy_sec_internet is successfully configured.
- To view logs about file blocking, choose .
Configuration Scripts
# profile type file-block name profile_file_user1 rule name rule1 file-type pre-defined name DOC PPT XLS MSOFFICE DOCX PPTX XLSX PDF VSD MPP file-type pre-defined name ODS ODT ODP EML UOF RAR TAR ZIP GZIP CAB file-type pre-defined name BZ2 C CPP JAVA application all direction upload action block rule name rule2 file-type pre-defined name EXE MSI RPM OCX A ELF DLL PE MDI MOV file-type pre-defined name MPEG AVI RMVB ASF SWF MP3 MP4 MIDI application all direction download action block profile type file-block name profile_file_user2 rule name rule1 file-type pre-defined name DOC PPT XLS MSOFFICE DOCX PPTX XLSX PDF VSD MPP file-type pre-defined name ODS ODT ODP EML UOF RAR TAR ZIP GZIP CAB file-type pre-defined name BZ2 C CPP JAVA application all direction upload action block profile type file-block name profile_file_internet rule name rule1 file-type pre-defined name EXE MSI RPM OCX A ELF DLL PE application all direction upload action block # interface GigabitEthernet0/0/1 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 10.2.0.1 255.255.255.0 # interface GigabitEthernet0/0/3 ip address 10.3.0.1 255.255.255.0 # firewall zone trust add interface GigabitEthernet0/0/3 # firewall zone dmz add interface GigabitEthernet0/0/2 # firewall zone untrust add interface GigabitEthernet0/0/1 # security-policy rule name policy_sec_user1 description Allows employees to access the Internet. source-zone trust destination-zone untrust user user-group /default/user profile file-block profile_file_user1 action permit rule name policy_sec_user2 description Allows employees to access the intranet server. source-zone trust destination-zone dmz destination-address 10.2.0.0 24 user user-group /default/user profile file-block profile_file_user2 action permit rule name policy_sec_internet description Allows Internet users to access the intranet server. source-zone untrust destination-zone dmz destination-address 10.2.0.0 24 profile file-block profile_file_internet action permit