Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Blocking the users from downloading executables
Hi there,
I am deploying web filtering solution for a customer using Fortinet UTM.
It is working fine. The only thing that I am unable to do at the moment is " How can i prevent users from downloading executables"
Thanks in advance.
Rgds
Anu
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add a new DLP sensor, filter " files" , file type included in " all_executables" , examining HTTP, FTP, action " block" .
Then add the sensor to your firewall policy.
Let me know if it works for you.
Regards,
Martin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you use the Data Leak Prevention (DLP) portion of UTM for this? You can specifically list Executable files as a type of restriction. You can also list specific file formats.
Click here (4.3.x) and have a look at pg 173 or here (5.0.x) and have a look at pg 106.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may want to exclude certain sites from this, such as Microsoft/windows update sites, which may prevent computers/users from downloading needed updates if exe files are blocked outright. What you can do is create a list of exempted fqdn sites and group them together, create a firewall policy that excludes these sites from DLP/UTM and move it near the top of the firewall chain....assuming you trust the security placed on the DNS servers your company uses.
An example.....
config firewall address edit " update.microsoft.com" set associated-interface " wan1" set type fqdn set fqdn " update.microsoft.com" next edit " download.windowsupdate.com" set associated-interface " wan1" set type fqdn set fqdn " download.windowsupdate.com" next edit " windowsupdate.microsoft.com" set associated-interface " wan1" set type fqdn set fqdn " windowsupdate.microsoft.com" next end config firewall addrgrp edit " Windows-Updates" set member " download.windowsupdate.com" " update.microsoft.com" " windowsupdate.microsoft.com" next end config firewall policy edit 99 set srcintf " internal_net" set dstintf " wan1" set srcaddr " all" set dstaddr " Windows-Updates" set action accept set schedule " always" set service " ANY" set nat enable next end
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks All.
Thanks Dave. This is actually what I wanted to do.
Rgds
Anne
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dave,
I did that and it does not work.
I am unable to download executables now which is good.
What is not good is that I am unable to download executables from trusted websites as well.
I created a group called " Trusted Download Websites" . I created a Firewall object " Sun" and selected Type as " FQDN" and FQDN as " http://www.sun.com" . Interface as " WAN1"
I created a Firewall Rule: (this is on the top)
Source: Test PC
Source Interface: Internal
Destination: " Trusted Download Websites"
Destination Interface: WAN1
Service: ANY
NAT: Enable
Next to this rule, I have another rule:
Source: Test PC
Source Interface: Internal
Destination:ALL
Destination Interface: WAN1
Service: http,https
NAT: Enable
UTM: Enable DLP Sensor (which blocks the executables)
I logged onto Test PC and type " http://www.sun.com" and click enter.
On the Firewall, it should hit my first rule and I should see the Count Increasing.
But that' s not what' s happening. It still hits my second rule.
I wonder what I am doing wrong.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, I can ping www.sun.com from the Firewall
So does not look like DNS issue
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
An address is NOT a URL. Put " www.sun.com" into the address object not the URL, and try again.
BTW, I don' t think Java updates come from sun.com but oracle.com. But sun.com might just be an example.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry Guys, it is not as easy as it sounds.
No matter whatever you do, the DLP feature takes precedence over everything else. I have logged a TAC case and let' s see what they come up with
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you disconnected any open sessions (or rebooted the fgt) after making the changes as per ede_pfau?
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C