Block file upload in Proxy SG and allow specific apparent data type
Article ID: 265247
Updated On: 03-06-2024
Products
Issue/Introduction
How to block all file uploads using the apparent data type except the specific apparent data type?
Environment
Proxy SG
Resolution
The steps are as follows :
NOTE: Before following the below steps make sure the SSL Interception is enabled. Without SSL Interception it won't work.
1 Create a new Web access layer.
2 Set the source as ANY ser the destination host as ANY ( note: You can select the source host in case if there is some requirement for a specific host or network you want to block the upload)
3. Set the service and create a new service by selecting the protocol method.
4 Name the service Select the protocol as HTTP/HTTTPS and then check the POST connection method.
5. Set the Action and create a new action with the apparent data type.
6. In the above image we can see we have selected the JPEG and set the action as allowed because we want to allow this file upload.
7 The rule seems to be like this. Rule number 1 is for allowing the specific Apparent Data Type to upload that specific Apparent Data Type in our example it is JPEG.
8 The Second rule (Rule No 2) on the action is changed we have created a new action with Apparent Data Type in which we have selected all the data types and set the action as Deny Transections see the snap below.
> With the above settings you will seeJPEG file upload will success and rest if you try to upload any other filetype then it will be blocked.
Additional Information
Note:
SSL Interception is required to block the upload using the apparent data type
So you may also need to have the ssl interception layer in which the rule should be present to intercept the HTTPS traffic.
the rule should be as follows:
If you have selected the specific source host in the web access layer rules for blocking the upload, in that case, you must select that source in the ssl interception.
You also make sure that that client system /network host / user /group which ever that you have selected as source host in the rule there should be also a normal rule in the web access layer for allowing the internet traffic.
In my example, I have another web access layer in which i have the following rules.
Feedback
