Could you use the Data Leak Prevention (DLP) portion of UTM for this? You can specifically list Executable files as a type of restriction. You can also list specific file formats. Click here (4.3.x) and have a look at pg 173 or here (5.0.x) and have a look at pg 106.

You may want to exclude certain sites from this, such as Microsoft/windows update sites, which may prevent computers/users from downloading needed updates if exe files are blocked outright. What you can do is create a list of exempted fqdn sites and group them together, create a firewall policy that excludes these sites from DLP/UTM and move it near the top of the firewall chain....assuming you trust the security placed on the DNS servers your company uses. An example.....

 config firewall address
     edit " update.microsoft.com" 
         set associated-interface " wan1" 
         set type fqdn
         set fqdn " update.microsoft.com" 
     next
     edit " download.windowsupdate.com" 
         set associated-interface " wan1" 
         set type fqdn
         set fqdn " download.windowsupdate.com" 
     next
     edit " windowsupdate.microsoft.com" 
         set associated-interface " wan1" 
         set type fqdn
         set fqdn " windowsupdate.microsoft.com" 
     next
 end
 config firewall addrgrp
     edit " Windows-Updates" 
             set member " download.windowsupdate.com"  " update.microsoft.com"  " windowsupdate.microsoft.com"              
     next
 end
 config firewall policy
     edit 99
         set srcintf " internal_net" 
         set dstintf " wan1" 
             set srcaddr " all"              
             set dstaddr " Windows-Updates" 
         set action accept
         set schedule " always" 
             set service " ANY"              
         set nat enable
     next
 end

Thanks All. Thanks Dave. This is actually what I wanted to do. Rgds Anne

Hi Dave, I did that and it does not work. I am unable to download executables now which is good. What is not good is that I am unable to download executables from trusted websites as well. I created a group called " Trusted Download Websites" . I created a Firewall object " Sun" and selected Type as " FQDN" and FQDN as " http://www.sun.com" . Interface as " WAN1" I created a Firewall Rule: (this is on the top) Source: Test PC Source Interface: Internal Destination: " Trusted Download Websites" Destination Interface: WAN1 Service: ANY NAT: Enable Next to this rule, I have another rule: Source: Test PC Source Interface: Internal Destination:ALL Destination Interface: WAN1 Service: http,https NAT: Enable UTM: Enable DLP Sensor (which blocks the executables) I logged onto Test PC and type " http://www.sun.com" and click enter. On the Firewall, it should hit my first rule and I should see the Count Increasing. But that' s not what' s happening. It still hits my second rule. I wonder what I am doing wrong.

Also, I can ping www.sun.com from the Firewall So does not look like DNS issue

An address is NOT a URL. Put " www.sun.com" into the address object not the URL, and try again. BTW, I don' t think Java updates come from sun.com but oracle.com. But sun.com might just be an example.

Sorry Guys, it is not as easy as it sounds. No matter whatever you do, the DLP feature takes precedence over everything else. I have logged a TAC case and let' s see what they come up with

Have you disconnected any open sessions (or rebooted the fgt) after making the changes as per ede_pfau?