Information Security Office (ISO) create a number of security profiles that individual departments can use in their own environment. In order to understand the settings associated with these profiles and to evaluate them for local use, it is best to review the profiles is by looking at the settings themselves. One of the security profiles is the “File Blocking” profile. In the Palo Alto environment, file blocking prevents or alerts on file types that are deemed risky or abnormal to the environment from being transferred between systems. Below are the steps that would be necessary to examine the settings of a File Blocking profile.
NOTE: The default profiles used in all profile groups do not block files, but are used to log files associated with potential attacks.
- While logged into https://panorama.net.berkeley.edu, chose “Objects” from the tabs at the top of the window
- Under “Security Profiles” in the left pane choose “File Blocking”
- From the list of File Blocking profiles select the one that you are interested in examining. For this example we will look at the ucbsec-RD_server (this is the recommended File Blocking profile for servers containing Restricted Data). Opening the profile, the first thing you will notice is the rules. Like firewall rules in general, these rules are read by the Palo Alto firewall in order from top down. As a result, things items that have a higher criticality should be placed at the top of the rules.
- The first rule, “Block high risk file types,” will apply to the files listed under the “File Types” column without regard to the application the transfer used (based upon the Palo Alto detected AppID) and without regard to the direction of the transfer. The file types seen here are types that have a history of being used either in malicious activity or are frequently used to exfiltrate data from compromised hosts.
(NOTE: The files will only be detected if the transfer mechanism is not encrypted. If someone is using SSL/TLS, SSH, or another encrypted protocol the transfer will not be detected or stopped.) - The next rule “Block Encrypted File Upload” is designed around one of the common exfiltration methods which is to collect data into a single location, then compresses and encrypt the data before sending it to a remote system. This rule blocks the upload of these files.
- The final rule is used more for forensics and logs the transfer of any recognized file type not already covered by a previous rule.
- The first rule, “Block high risk file types,” will apply to the files listed under the “File Types” column without regard to the application the transfer used (based upon the Palo Alto detected AppID) and without regard to the direction of the transfer. The file types seen here are types that have a history of being used either in malicious activity or are frequently used to exfiltrate data from compromised hosts.
- To exit out of this, click the “Cancel” button.
More information about Anti-Spyware profiles can be found at:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security-profiles-file-blocking