How to Block website specific file downloads using Regular Expressions (Regex)

Description

You can configure regular expressions in certain types of match objects for use in App Rules policies. The Match Object Settings page provides a way to configure custom regular expressions.

This article describes how to use Match Object type HTTP URL with custom regular expressions and then to create a matching App Rule policy to block file downloads from a website.

These are the example I use here.  These are for blocking downloads of files with extensions PDF and EXE from cnet.com and microsoft.com. You could change the expression to match the website and the file extension you wish to block.

  • download.microsoft.com/download/([dD]+).pdf: This will block this URL - http://download.microsoft.com/download/5/2/E/52E4291F-A34B-42F5-BAEA-EB23381CB112/SC%202012%20Overview%20Datasheet.pdf
  • software-files-[a-zA-z].cnet.com/([dD]+).exe([dD]+): This will block this URL- http://software-files-a.cnet.com/s/software/13/86/35/33/ccsetup419.exe?token=1416329507_fdbdb157ce5d375e97fc5b899f832b24&fileName=ccsetup419.exe

 

Resolution

Create Match Object for URLs to be blocked

1. Login to the management interface of the SonicWall UTM appliance
2. Navigate to the Firewall | Match Objects page.
3. Click on Add New Match Object to open the  Add/Edit Match Object window.
4. Enter a name for the match object. For example,File Downloads
5. Select HTTP URL under Match Object Type
6. Select Match Type as Regex
7. Set Input Representation as Alphanumeric
8. Under Content, enter the URL with regular expressions of the page you want to block.  See examples above.
9. Click on Add  after each entry.
10. Click on OK to save.
Image
Create App Rules policy

1. Navigate to the Firewall | App Rules page.
2. Enable the check-box Enable App Rules.
3. Click on the Add New Policy button to open the Edit App Control Policy window.
4. Set the App Rules policy with the following values:

  • Policy Name: Block File Downloads (or any name)
  • Policy Type:  HTTP Client
  • Source: Any
  • Destination: Any
  • Address: Any (These are IP addresses to be included)
  • Service:  Source Any
  • Service: Destination HTTP
  • Exclusion Address: None
  • Match Object:Included: Set the HTTP URL Match Object with regex content created earlier.
  • Match Object:Excluded: None (This is for setting excluded URLs)
  • Action Object: Reset/Drop
  • Users/Groups: Included: All
  • Users/Groups: Excluded: None
  • Schedule: Alway on
  • Enable flow reporting: check or uncheck
  • Enable Logging: Enabled by default
  • Log individual object content: Enable check box (recommended)
  • Log Redundancy Filter (seconds): Use Global Settings 
  • Connection Side: Client Side
  • Direction: Both

5. Click on OK to create this policy.


Testing:

From a host behind the SonicWall, try to download an EXE file from cnet.download.com or a PDF file from microsoft.com. When the request is blocked the webpage will fail to load and the following log messages will be generated in the SonicWall logs.
 

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
SonicWall NSA Series
Firewalls
SonicWall SuperMassive 9000 Series
Firewalls
SonicWall SuperMassive E10000 Series
Firewalls
TZ Series
not finding your answers?
Ask the Community