Block file upload on ProxySG based on apparent data type of the file
Article ID: 240889
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
The requirement is to block file upload on ProxySG based on apparent data type
Consider the following scenarios:
- Block all compressed file uploads on proxySG. The default proxy policy is set to Allow.
- Block all compressed file uploads on proxySG. The default proxy policy is set to Deny.
The downloads should be allowed. Uploads for other file types should work
Let's consider this for a sample website: www.file.io
Resolution
Scenario 1: Block all compressed file uploads on proxySG. The default proxy policy is set to Allow
- Open ProxySG Visual Policy Manager (VPM)
- Create Action ‘Set Apparent Type Action and select zip related types
- Create a rule in web access layer with action set to Apparent data type Action
- Ensure SSL Interception is enabled
Scenario 2: Block all compressed file uploads on proxySG. The default proxy policy is set to Deny
- Open proxySG Visual Policy Manager
- Create Action ‘Set Apparent Type Action and select zip related types (Refer Scenario 1)
- Create a rule in the web access layer with an action set to Apparent data type Action
- Create a new web access layer and setup a rule to allow access to the website.
- Ensure SSL Interception is enabled
Reference: Proxy SG 7.3 Properties: http.request.apparent_data_type.deny() for more details regarding apparent data type action
Additional Information
-
Note: Policy trace and HAR file will show the following
Refer https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/learnabout/troublegeneral/policytrace.html on a procedure to setup and run policy trace on proxySG
Refer https://knowledge.broadcom.com/external/article/170836/obtain-a-har-file.html on a procedure to run HAR file using developer tool on browser
[I] Test using .gz file upload on www.file.io (this is blocked)
- Result
- HAR file (inspect element results on Chrome, highlighted the interesting parts)
- Policy trace Logs from ProxySG(highlighted the interesting parts)
connection: service.name=Explicit HTTP client.address=10.0.200.20 (effective address=10.0.200.20) proxy.port=8080 source.port=59487 dest.port=8080 client.interface=0:0.1 routing-domain=default
location-id=0 access_type=unknown
time: 2022-03-25 08:30:57 UTC
POST https://file.io/
DNS lookup was unrestricted
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk8BDWNkehS5qqzvl
Referer: https://www.file.io/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
user: name="SYMCDEMOS\testuser" realm=SYMCDEMOS
authentication start 0 elapsed 0 ms
authorization start 0 elapsed 0 ms
authentication status='none' authorization status='none'
user: authenticated=true authorized=true relative username='testuser'
supplier.failures: -
verdict: DENIED: ADT says terminate connection
Last Error: Unexpected transaction termination on URL(https://file.io/), client IP(10.0.200.20), server IP(not available): ADT says terminate connection
url.category: [email protected];[email protected];[email protected];File Storage/[email protected] Coat
category groups: File [email protected] Coat;[email protected] Coat
total categorization time: 0
static categorization time: 0
request.header.Referer.url.category: [email protected];[email protected];[email protected];File Storage/[email protected] Coat
category groups: File [email protected] Coat;[email protected] Coat
total categorization time: 0
static categorization time: 0
server.certficate.hostname.category: [email protected];[email protected];[email protected];File Storage/[email protected] Coat
category groups: File [email protected] Coat;[email protected] Coat
total categorization time: 0
static categorization time: 0
server.response.code: 0
client.response.code: 0
application.name: file.io
application.operation: none
application.group: File Sharing
DSCP client outbound: 65
DSCP server outbound: 65
[II] Test using .pcap file upload on www.file.io (this is allowed)
- Result
- HAR file (inspect element results on Chrome, highlighted the interesting parts)
- Policy trace Logs from ProxySG(highlighted the interesting parts)
connection: service.name=Explicit HTTP client.address=10.0.200.20 (effective address=10.0.200.20) proxy.port=8080 source.port=59487 dest.port=8080 client.interface=0:0.1 routing-domain=default
location-id=0 access_type=unknown
time: 2022-03-25 08:31:38 UTC
POST https://file.io/
origin server next-hop IP address=34.197.64.69
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryM8hEYk6jKy0WvouT
Referer: https://www.file.io/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
user: name="SYMCDEMOS\testuser" realm=SYMCDEMOS
authentication start 0 elapsed 0 ms
authorization start 0 elapsed 0 ms
authentication status='none' authorization status='none'
user: authenticated=true authorized=true relative username='testuser'
supplier.ip: 34.197.64.69
supplier.country: United States
supplier.failures: -
verdict: ALLOWED
url.category: [email protected];[email protected];[email protected];File Storage/[email protected] Coat
category groups: File [email protected] Coat;[email protected] Coat
total categorization time: 0
static categorization time: 0
request.header.Referer.url.category: [email protected];[email protected];[email protected];File Storage/[email protected] Coat
category groups: File [email protected] Coat;[email protected] Coat
total categorization time: 0
static categorization time: 0
server.certficate.hostname.category: [email protected];[email protected];[email protected];File Storage/[email protected] Coat
category groups: File [email protected] Coat;[email protected] Coat
total categorization time: 1
static categorization time: 1
server.response.code: 200
client.response.code: 200
application.name: file.io
application.operation: none
application.group: File Sharing
DSCP client outbound: 65
DSCP server outbound: 65
Attachments
Feedback
Yes
No
Powered by
