How do I use the enhanced apparent data type controls in SGOS 6.5.1 and AVOS 3.5.1?
search cancel

How do I use the enhanced apparent data type controls in SGOS 6.5.1 and AVOS 3.5.1?

book

Article ID: 166212

calendar_today

Updated On:

Products

SG-300 SG-600 SG-510 SG-9000 SG-900 SWG VA-100

Issue/Introduction

In SGOS 6.5.1 and AVOS 3.5.1, Broadcom introduced an enhanced set of features to detect and manage files based on their apparent data type. With the ProxySG alone, the appliance can now detect and recognize close to thirty unique data types. Unlike with MIME type, this feature does not simply examine the file's extension. Rather, the file container itself is examined and the first bytes of the file are used to identify what type of file it is.

If you have a ProxyAV appliance running version 3.5.1 or higher, there's an additional option here as well. Since the ProxyAV has the ability to examine archive (zip, rar, gz) files and their included files, the new apparent data type policy on the ProxySG can be written to leverage that capability.  The ProxySG can send a zip file to the ProxyAV and have the ProxyAV report back with the types of files that are contained in that archive. The ProxySG can then use this information to match any policy that allows or denies requests based on the apparent data type.

Resolution

Prerequisites:

  • Enable Apparent Data Type scanning on the ProxyAV and select scan for each file type, rather than block.
  • In your ProxySG ICAP scanning rule, set the ICAP object to fail closed. This is a key security measure that ensures that if the ProxyAV appliance is unavailable, the file cannot be retrieved.
  •  When you create your Apparent Data Type object, be mindful of three things: 
    1. You can create an Apparent Data Type object in both a Web Access (proxy) and a Web Content (cache) layer rule. 
    2. In order for  ICAP archive scanning with your ProxyAV to work, the Enable ICAP Scanning box in the ADT destination object must be checked.
    3, This functionality requires that you also have an ICAP scanning rule, in addition to the Apparent Data Type rules.

 

Sample policy:

In the proceeding example (CPL code below), local user1 is allowed to download EXE files, while all other users are not. The Apparent Data type destination object looks like this:

 

CPL of the above policy: 

;; Tab: [Web Authentication Layer]
<Proxy>
authenticate(MyLocalUsers)  authenticate.force(no) authenticate.mode(auto)

;; Tab: [Web Access Layer]
<Proxy>
condition=ALLOWED_FT_USERS response.icap.apparent_data_type=(executable) Allow
response.icap.apparent_data_type=(executable) Deny
Allow

;; Tab: [Web Content Layer]
<Cache>
response.icap_service(av35,fail_closed) response.icap_service.secure_connection(auto)
 

define condition ALLOWED_FT_USERS
            realm=MyLocalUsers user="user1"
end condition ALLOWED_FT_USE

 

 

Powered by Wolken Software