Configuring File Blocking

This section describes how to configure file blocking.

Context

Each security policy rule references one file blocking profile to block the upload and download of the specified files or generates logs when the specified files are detected.

The FW has a default file blocking profile named default. In the default profile, actions for all protocols and in upload and download directions are set to Alert. You cannot modify or delete the default profile.

You can run the display profile type file-block name default command on the CLI to view the configuration information about the default profile. IF you use the CLI to reference the default profile in a security policy, you must enter the complete profile name (such as default). Otherwise, the profile fails to be referenced. To view the configuration result, run the display current-configuration command. Then you can view that the security policy references the default profile, but the configuration information about the default profile is not displayed.

The FW supports user-defined profiles. You can specify different actions for each file category in its upload and download directions.

Procedure

Access the system view.
system-view
Create a file blocking profile and displays the file blocking profile view.
profile type file-block name name

The system has a default file blocking profile default. The profile can be copied or referenced by security policies, but cannot be modified or deleted.
Configure the description of a file blocking profile.
description description
Create a file blocking rule and displays the file blocking rule view.
rule name name
Configure the application type for a file blocking rule.
application { type type &<1-10> | all }
Configure the predefined types of files to be filtered.
file-type pre-defined { name file-type &<1-10> | all }
Configure the user-defined types of files to be filtered.
file-type user-defined name file-type &<1-10>

A user-defined file type is a file name extension specified by an administrator, which is a supplementary to predefined file types.
Set a direction to which file blocking applies.
direction { both | download | upload }

The default transfer direction for file blocking is upload.
Configure the action for a file blocking rule.
action { alert | block | qos remark dscp dscp-value }

The default action for a file blocking rule is alert.
- Because the device does not support the block action for NFS, if the application is NFS and the action is block, the device will take the alert action.
- If the application is IMAP or POP3 and the action is block, the device will delete attachments.
Return to the system view, commit the profile.
engine configuration commit

The new or modified security profile does not take effect until you run the engine configuration commit command to commit the configuration. To save time, you can commit changes after all changes are made.

Follow-up Procedure

In the file blocking profile view, rename the existing file blocking profile and enter the new file blocking profile view.

rename new-name
In the system view, clone the existing file blocking profile and access the new file blocking profile view.

profile type file-block copy old-name [ new-name ]
In the file blocking profile view, change the positions of file blocking rules.

rule move name1 { after | before } name2
In the file blocking rule view, rename the existing file blocking rule and enter the new file blocking rule view.

rename new-name