Blocking the users from downloading executables

Add a new DLP sensor, filter " files" , file type included in " all_executables" , examining HTTP, FTP, action " block" . Then add the sensor to your firewall policy. Let me know if it works for you. Regards, Martin

Could you use the Data Leak Prevention (DLP) portion of UTM for this? You can specifically list Executable files as a type of restriction. You can also list specific file formats. Click here (4.3.x) and have a look at pg 173 or here (5.0.x) and have a look at pg 106.

You may want to exclude certain sites from this, such as Microsoft/windows update sites, which may prevent computers/users from downloading needed updates if exe files are blocked outright. What you can do is create a list of exempted fqdn sites and group them together, create a firewall policy that excludes these sites from DLP/UTM and move it near the top of the firewall chain....assuming you trust the security placed on the DNS servers your company uses. An example.....

 config firewall address      edit " update.microsoft.com"           set associated-interface " wan1"           set type fqdn          set fqdn " update.microsoft.com"       next      edit " download.windowsupdate.com"           set associated-interface " wan1"           set type fqdn          set fqdn " download.windowsupdate.com"       next      edit " windowsupdate.microsoft.com"           set associated-interface " wan1"           set type fqdn          set fqdn " windowsupdate.microsoft.com"       next  end  config firewall addrgrp      edit " Windows-Updates"               set member " download.windowsupdate.com"  " update.microsoft.com"  " windowsupdate.microsoft.com"                    next  end  config firewall policy      edit 99          set srcintf " internal_net"           set dstintf " wan1"               set srcaddr " all"                            set dstaddr " Windows-Updates"           set action accept          set schedule " always"               set service " ANY"                        set nat enable      next  end

Thanks All. Thanks Dave. This is actually what I wanted to do. Rgds Anne

Hi Dave, I did that and it does not work. I am unable to download executables now which is good. What is not good is that I am unable to download executables from trusted websites as well. I created a group called " Trusted Download Websites" . I created a Firewall object " Sun" and selected Type as " FQDN" and FQDN as " http://www.sun.com" . Interface as " WAN1" I created a Firewall Rule: (this is on the top) Source: Test PC Source Interface: Internal Destination: " Trusted Download Websites" Destination Interface: WAN1 Service: ANY NAT: Enable Next to this rule, I have another rule: Source: Test PC Source Interface: Internal Destination:ALL Destination Interface: WAN1 Service: http,https NAT: Enable UTM: Enable DLP Sensor (which blocks the executables) I logged onto Test PC and type " http://www.sun.com" and click enter. On the Firewall, it should hit my first rule and I should see the Count Increasing. But that' s not what' s happening. It still hits my second rule. I wonder what I am doing wrong.

Also, I can ping www.sun.com from the Firewall So does not look like DNS issue

An address is NOT a URL. Put " www.sun.com" into the address object not the URL, and try again. BTW, I don' t think Java updates come from sun.com but oracle.com. But sun.com might just be an example.

Sorry Guys, it is not as easy as it sounds. No matter whatever you do, the DLP feature takes precedence over everything else. I have logged a TAC case and let' s see what they come up with

Have you disconnected any open sessions (or rebooted the fgt) after making the changes as per ede_pfau?

No, I have not