ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Block file upload on ProxySG based on apparent data type of the file

book

Article ID: 240889

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The requirement is to block file upload on ProxySG based on apparent data type

Consider the following scenarios:

  1. Block all compressed file uploads on proxySG. The default proxy policy is set to Allow.
  2. Block all compressed file uploads on proxySG. The default proxy policy is set to Deny.

The downloads should be allowed. Uploads for other file types should work

Let's consider this for a sample website: www.file.io

Resolution

Scenario 1: Block all compressed file uploads on proxySG. The default proxy policy is set to Allow

  • Open ProxySG Visual Policy Manager (VPM)
  • Create Action   ‘Set Apparent Type Action and select zip related types

  • Create a rule in web access layer with action set to Apparent data type Action

  • Ensure SSL Interception is enabled

Scenario 2: Block all compressed file uploads on proxySG. The default proxy policy is set to Deny

  • Open proxySG Visual Policy Manager
  • Create Action   ‘Set Apparent Type Action and select zip related types (Refer Scenario 1)
  • Create a rule in the web access layer with an action set to Apparent data type Action

  • Create a new web access layer and setup a rule to allow access to the website.

  • Ensure SSL Interception is enabled

Reference: Proxy SG 7.3 Properties: http.request.apparent_data_type.deny() for more details regarding apparent data type action

 

Additional Information

  • Note: Policy trace and HAR file will show the following

    Refer https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/learnabout/troublegeneral/policytrace.html on a procedure to setup and run policy trace on proxySG
     Refer https://knowledge.broadcom.com/external/article/170836/obtain-a-har-file.html on a procedure to run HAR file using developer tool on browser

 

[I] Test using .gz file upload on www.file.io (this is blocked)

  • Result

 

  • HAR file (inspect element results on Chrome, highlighted the interesting parts)

  • Policy trace Logs from ProxySG(highlighted the interesting parts)
connection: service.name=Explicit HTTP client.address=10.0.200.20 (effective address=10.0.200.20) proxy.port=8080 source.port=59487 dest.port=8080 client.interface=0:0.1 routing-domain=default
location-id=0 access_type=unknown
time: 2022-03-25 08:30:57 UTC
POST https://file.io/
DNS lookup was unrestricted
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk8BDWNkehS5qqzvl
Referer: https://www.file.io/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
user: name="SYMCDEMOS\testuser" realm=SYMCDEMOS
authentication start 0 elapsed 0 ms
authorization start 0 elapsed 0 ms
authentication status='none' authorization status='none'
user: authenticated=true authorized=true relative username='testuser'
supplier.failures: -
verdict: DENIED: ADT says terminate connection
Last Error: Unexpected transaction termination on URL(https://file.io/), client IP(10.0.200.20), server IP(not available): ADT says terminate connection
url.category: [email protected];[email protected];[email protected];File Storage/[email protected] Coat
   category groups: File [email protected] Coat;[email protected] Coat
   total categorization time: 0
   static categorization time: 0
request.header.Referer.url.category: [email protected];[email protected];[email protected];File Storage/[email protected] Coat
   category groups: File [email protected] Coat;[email protected] Coat
   total categorization time: 0
   static categorization time: 0
server.certficate.hostname.category: [email protected];[email protected];[email protected];File Storage/[email protected] Coat
  category groups: File [email protected] Coat;[email protected] Coat
   total categorization time: 0
   static categorization time: 0
server.response.code: 0
client.response.code: 0
application.name: file.io
application.operation: none
application.group: File Sharing
DSCP client outbound: 65
DSCP server outbound: 65

[II] Test using .pcap file upload on www.file.io (this is allowed)

  • Result

 

  • HAR file (inspect element results on Chrome, highlighted the interesting parts)

 

 

  • Policy trace Logs from ProxySG(highlighted the interesting parts)
connection: service.name=Explicit HTTP client.address=10.0.200.20 (effective address=10.0.200.20) proxy.port=8080 source.port=59487 dest.port=8080 client.interface=0:0.1 routing-domain=default
location-id=0 access_type=unknown
time: 2022-03-25 08:31:38 UTC
POST https://file.io/
origin server next-hop IP address=34.197.64.69
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryM8hEYk6jKy0WvouT
Referer: https://www.file.io/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
user: name="SYMCDEMOS\testuser" realm=SYMCDEMOS
authentication start 0 elapsed 0 ms
authorization start 0 elapsed 0 ms
authentication status='none' authorization status='none'
user: authenticated=true authorized=true relative username='testuser'
supplier.ip: 34.197.64.69
supplier.country: United States
supplier.failures: -
verdict: ALLOWED
url.category: [email protected];[email protected];[email protected];File Storage/[email protected] Coat
   category groups: File [email protected] Coat;[email protected] Coat
   total categorization time: 0
   static categorization time: 0
request.header.Referer.url.category: [email protected];[email protected];[email protected];File Storage/[email protected] Coat
   category groups: File [email protected] Coat;[email protected] Coat
   total categorization time: 0
   static categorization time: 0
server.certficate.hostname.category: [email protected];[email protected];[email protected];File Storage/[email protected] Coat
   category groups: File [email protected] Coat;[email protected] Coat
   total categorization time: 1
   static categorization time: 1
server.response.code: 200
client.response.code: 200
application.name: file.io
application.operation: none
application.group: File Sharing
DSCP client outbound: 65
DSCP server outbound: 65

Attachments