Block file uploads with Cloud SWG policy
Article ID: 174578
Updated On:
Products
Issue/Introduction
Create a policy rule that:
(1) Allows access to File Sharing sites while
(2) Allowing downloads and also
(3) Blocks uploads
Resolution
Cloud SWG (formerly known as WSS) has actions for web applications (Dropbox, Google Drive, etc.) that allow you to create policy based on the actions: upload files, download files, etc.
SSL interception is required, and you must not have a rule blocking the category (such as: "File Storage/Sharing") as the category block would deny the access to it before the user can download anything.
See: Create Custom Content Control Rules
For most web applications, there is not an easy way to block file uploads via actions. One instance where file uploads could be blocked is if the site had a URL that all uploads were directed through. This URL should be found in the file sharing site's documentation. That URL could then be added into your policy.
Below example is for Slack:
Two rules have to be implemented:
(1) A "block" rule, followed by
(2) An "allow" rule for users or groups that should be permitted
Additional Information
Cloud SWG cannot apply a policy to different HTTP methods (such as: GET and POST). However, on-premise ProxySG devices do have this capability; an example of this can be found here.
With Cloud SWG (WSS), CASB is the recommended option for granular application controls ("actions") for common web applications.
Attachments
Feedback
