Understanding File Blocking

The FW identifies the types of transferred files, and blocks or generates alarms on the specified types of files.

If the traffic that passes the FW matches a security rule, the action is set to permit, and the file blocking profile is referenced, file blocking must be implemented on the traffic. The mechanism of file blocking is as follows:

1. The FW identifies the following file attributes:

   • Application: Files are transferred over application protocols such as HTTP, FTP, SMTP, POP3, NFS, SMB, and IMAP.
   • File transfer direction: The value can be upload or download.
   • File type: The FW can identify the real file type. For example, the file type of the Word document whose name is changed from file.doc to file.exe is still doc.
   • File name extension: The value is the suffix of a file name. For example, the file name extensions of file.doc and file.exe are doc and exe respectively.

2. The processing of file identification exceptions specifies the action for abnormal file types. Usually, the default values are used.

   The possible anomalies in file type identification are as follows:

   • Mismatched file name extension: The file type and file name extension are not matched.
   • Unidentifiable file type: The file type cannot be identified and no file name extension exists.
   • Damaged file: The file is damaged and its type cannot be identified.

3. As shown in Table 1, the FW determines whether to match files with filtering rules as well as matching conditions based on file identification results and the action for file identification exceptions.

   To implement the matching of file blocking rules, the FW matches file attributes (application, direction, file type, and file name extension) with the rules defined in the file blocking profile.

   If the attributes of a file meet all conditions in a file blocking rule, the file matches the rule successfully. If the attributes of a file do not meet one or more conditions, the FW matches the file attributes with the next rule. If a file does not match any rule, the FW allows the file transfer.

   If a file matches a rule, the FW implements the action defined in the rule. If the action is Block, the FW blocks the file. If the action is Alert, the FW allows the file transfer and generates a log.

   Table 1 File identification results and follow-up processing

   File Identification	Actions for File Identification Exceptions	Rule Matching
   The file type and file name extension are consistent.	-	The FW matches the file type with file blocking rules. Matching conditions are the application, file type, and direction.
   The file type and file name extension are inconsistent.	The FW implements one of the following actions for a mismatched file name extension: Allow: Allows the file transfer and matches the file with file blocking rules. Alert: Allows the file transfer, generates a log, and matches the file with file blocking rules. Block: Blocks the file transfer and generates a log.	If the FW matches the file with file blocking rules by type, the matching conditions are Application, File Type, and Direction.
   The file type cannot be identified, but the file name extension exists.	-	If the FW matches the file with file blocking rules by name extension, the matching conditions are Application, File Extension, and Direction.
   The file type cannot be identified and no file name extension exists.	The FW implements one of the following actions for an unidentified file type: Allow: Allows the file transfer. Alert: Allows the file transfer and generates a log. Block: Blocks the file transfer and generates a log.	-
   The file is damaged.	The FW implements one of the following actions for a damaged file: Allow: Allows the file transfer. Alert: Allows the file transfer and generates a log. Block: Blocks the file transfer and generates a log.	-