Customer wants to block all the HTTP/HTTPS file upload for it's users within ANY destination
Release : 6.7.5.14
Customer wants to a general rule for any traffic for the upload
PLEASE NOTE:
The presented Policy was done using a plain Policy. Please be advised that the solution provided may not be suitable for every environment and needs to be adjusted to existing Policies. It is recommended that you thoroughly test the solution before implementing this Policy and consider all possible implications before using it in live setting. Use of this solution in a production environment is done at your own risk and we don't guarantee that it will work with every URL/site with same result.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
These rules will inspect the traffic and denies all the upload via HTTP/HTTPS protocol with defined attributes (UPLOAD=POST).
It is recommended to narrow down the source/destination for this rule since in order to work it needs SSL-Interception which is CPU consuming for the appliance and could make some websites to not function properly.
Click on New… > Protocol Methods > Protocol HTTP/HTTPS > Common Methods > POST only
THIS WILL BLOCK ANY UPLOAD VIA HTTP/HTTPS
Upload of files can be tested with ex. file sharing site
If client needs the rule to be only working for not authenticated clients:
Source: New.. > User Authentication Error > Any error
Destination: Any
Service> Protocol Methods >> HTTP/HTTPS >> Only POST
Action >> DENY
The top rule will deny any non-authenticated user from uploading any file via HTTP/HTTPS POST method. There is no need to create a rule with authenticated source since the top rule already filters the non-authenticated users and rejects their uploads via HTTP/HTTPS. Layers below should contain all the users that are authenticated to use freely the upload.
- - - - - - - - - - - - -
PLEASE NOTE:
The presented Policy was done using a plain Policy. Please be advised that the solution provided may not be suitable for every environment and needs to be adjusted to existing Policies. It is recommended that you thoroughly test the solution before implementing this Policy and consider all possible implications before using it in live setting. Use of this solution in a production environment is done at your own risk and we don't guarantee that it will work with every URL/site with same result.
The upload rule needs to be adjusted to existing customer's Policy, so it follows the logics of the layer order according to the Policy in order to work without an issue:
KB articles:
PROXYSG DOCUMENTATION: