I tested the file blocking features of the Palo Alto Networks next-generation firewall and was a bit confused why several file types still passed the firewall though I set the policy to “any block”. Therefore, I tested a few scenarios with the file blocking security profile and present my test results here.
The tested PAN-OS version was 5.0.9 on a PA-200. I have not used WildFire in these tests.
- Allow/block file transfers through various protocols, e.g., http, ftp, smtp, and many more.
- Upload and download are controllable independently.
- True file type detection through a decode of the files and not through a simple comparison of the file extension.
- Not a “real” security policy which is passed from top to bottom.
- Certain file types are recognized two or more times as different file types, e.g., “zip and doc” for a single docx document. That is: If an organization wants to allow doc files while blocking zip, this is not possible.
- No whitelist support since “any block” does NOT block anything but only the known file types. (See Palo Alto link at the bottom.)
I ran through several test scenarios and present the results in the screenshot below. The test scenarios are written into the file names of all screenshots. So please refer to these file names.
I also uploaded all my test files to http://testfiles.webernetz.net. Anyone is welcome to download these files in order to test his own equipment.
The file blocking feature on the Palo Alto firewall can be used to avoid file up-/downloads that are done accidentally by a trusted user. It cannot be used to block every file type except some explicitly allowed ones such as done with a whitelist. That is: It does not prevent a malicious user from upload certain files to the Internet! It can only slow down the tries to upload files since the malicious user will find an unsupported file type which is led through the Palo Alto without any blocks or log entries.