Block upload rule for all the HTTP/HTTPS traffic on ProxySG
search cancel

Block upload rule for all the HTTP/HTTPS traffic on ProxySG

book

Article ID: 256528

calendar_today

Updated On:

Products

ASG-S200 ProxySG Software - SGOS ISG Proxy Advanced Secure Gateway Software - ASG

Issue/Introduction

Customer wants to block all the HTTP/HTTPS file upload for it's users within ANY destination

Environment

Release : 6.7.5.14

Cause

Customer wants to a general rule for any traffic for the upload

Resolution

PLEASE NOTE:
The presented Policy was done using a plain Policy. Please be advised that the solution provided may not be suitable for every environment and needs to be adjusted to existing Policies. It is recommended that you thoroughly test the solution before implementing this Policy and consider all possible implications before using it in live setting. Use of this solution in a production environment is done at your own risk and we don't guarantee that it will work with every URL/site with same result.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

These rules will inspect the traffic and denies all the upload via HTTP/HTTPS protocol with defined attributes (UPLOAD=POST).

It is recommended to narrow down the source/destination for this rule since in order to work it needs SSL-Interception which is CPU consuming for the appliance and could make some websites to not function properly.

 

  • The destination URLs which you want to DENY from uploading the files needs to be SSL-Intercepted first:

  • Create a rule under a Web Access Layer:


 

  • Source: Any or defined  (it is recommended that the source addresses that would have these restrictions should be defined)
  • Destination: Any  - can be very invasive, so it's advised to group what destinations should be denied from upload (ex. URL Category: Uncategorized, File transfer etc.)
  • Service: Add Combined Service Object

Click on New… > Protocol Methods > Protocol HTTP/HTTPS > Common Methods > POST only

THIS WILL BLOCK ANY UPLOAD VIA HTTP/HTTPS

KB: Client protocol methods

 

  • ACTION:  Set...Apparent Data Type > Deny transaction > Select file types
     

 

  • Then install the Policy

Upload of files can be tested with ex. file sharing site 

 

Additional Information

If client needs the rule to be only working for not authenticated clients:

  • Web authentication layer is set to authenticate users
  • In Web Access layer, the rule to block upload needs to be at the top:

Source: New.. > User Authentication Error > Any error
Destination: Any
Service> Protocol Methods >> HTTP/HTTPS >> Only POST
Action >> DENY

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=6eal4jg12J+ViZQlmXtqKA==

The top rule will deny any non-authenticated user from uploading any file via HTTP/HTTPS POST method. There is no need to create a rule with authenticated source since the top rule already filters the non-authenticated users and rejects their uploads via HTTP/HTTPS. Layers below should contain all the users that are authenticated to use freely the upload.

- - - - - - - - - - - - - 

PLEASE NOTE:
The presented Policy was done using a plain Policy. Please be advised that the solution provided may not be suitable for every environment and needs to be adjusted to existing Policies. It is recommended that you thoroughly test the solution before implementing this Policy and consider all possible implications before using it in live setting. Use of this solution in a production environment is done at your own risk and we don't guarantee that it will work with every URL/site with same result.

 

 

The upload rule needs to be adjusted to existing customer's Policy, so it follows the logics of the layer order according to the Policy in order to work without an issue:

 

KB articles:

 

PROXYSG DOCUMENTATION:

Powered by Wolken Software