Create a policy that blocks uploading files to Google Drive but allow viewing and downloading files

book

Article ID: 168439

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Users are not allow to upload files to Google Drive but are allowed to view, navigate, and download files from Google Drive.

 

Environment

Policy works for Explicit Deployment on all browsers.

Policy does not work for Chrome browser for Transparent Deployment, because Chrome browser uses QUIC protocol to upload files to Google Drive.

Resolution

  1.  Launch Visual Policy Manager (VPM)
  2. Policy > Add Web Access Layer..., give a name to the Web Access Layer
  3. Source: set the source who is subjected to the policy
  4. Leave out Service
  5. Time: setup the time restriction if needed
  6. Action = Deny

Destination: 

  •         New... > Request URL... > Simple Match/URL: drive.google.com

  •         New... > Request URL... > Simple Match/URL: docs.google.com

  •         New... > Request URL... > Simple Match/URL: clients1.google.com

  •         New... > Request URL... > Simple Match/URL: clients2.google.com 

  •         New... > Request URL... > Simple Match/URL: clients3.google.com 

  •         New... > Request URL... > Simple Match/URL: clients4.google.com 

  •         New... > Request URL... > Simple Match/URL: clients5.google.com 

  •         New... > Request URL... > Simple Match/URL: clients6.google.com 

  •         New... > Request URL... >  Regular Expression Match/RegEx: upload

        New... > Combined Destination Object..., give a name to the Object

                              Locate the four websites on the left panel, and Add>> to the right upper panel,

                              Locate the upload on the left panel, and Add>> the upload to the right lower panel

        

 

7. Click OK > click OK > Install Policy

 

Note: 

You may notice this rule might not work in some scenarios for example if the customer is using  http/2 protocol. 

You will be able to see this using a developers tool in the browser. 

In versions prior to SGOS 7.1, the only way to make this rule work is to disable the browser from using http/2 which will then use http. If that is not an option then we can only block clients6.google.com which will include downloading as well.

Attachments