How to Block website specific file downloads using Regular Expressions (Regex)

03/26/2020 15 People found this article helpful 485,344 Views

Description

You can configure regular expressions in certain types of match objects for use in App Rules policies. The Match Object Settings page provides a way to configure custom regular expressions.

This article describes how to use Match Object type HTTP URL with custom regular expressions and then to create a matching App Rule policy to block file downloads from a website.

These are the example I use here. These are for blocking downloads of files with extensions PDF and EXE from cnet.com and microsoft.com. You could change the expression to match the website and the file extension you wish to block.

download.microsoft.com/download/([dD]+).pdf: This will block this URL - http://download.microsoft.com/download/5/2/E/52E4291F-A34B-42F5-BAEA-EB23381CB112/SC%202012%20Overview%20Datasheet.pdf
software-files-[a-zA-z].cnet.com/([dD]+).exe([dD]+): This will block this URL- http://software-files-a.cnet.com/s/software/13/86/35/33/ccsetup419.exe?token=1416329507_fdbdb157ce5d375e97fc5b899f832b24&fileName=ccsetup419.exe

Resolution

Create Match Object for URLs to be blocked

1. Login to the management interface of the SonicWall UTM appliance
2. Navigate to the Firewall | Match Objects page.
3. Click on Add New Match Object to open the Add/Edit Match Object window.
4. Enter a name for the match object. For example,File Downloads
5. Select HTTP URL under Match Object Type
6. Select Match Type as Regex
7. Set Input Representation as Alphanumeric
8. Under Content, enter the URL with regular expressions of the page you want to block. See examples above.
9. Click on Add after each entry.
10. Click on OK to save.

Create App Rules policy

1. Navigate to the Firewall | App Rules page.
2. Enable the check-box Enable App Rules.
3. Click on the Add New Policy button to open the Edit App Control Policy window.
4. Set the App Rules policy with the following values:

Policy Name: Block File Downloads (or any name)
Policy Type: HTTP Client
Source: Any
Destination: Any
Address: Any (These are IP addresses to be included)
Service: Source Any
Service: Destination HTTP
Exclusion Address: None
Match Object:Included: Set the HTTP URL Match Object with regex content created earlier.
Match Object:Excluded: None (This is for setting excluded URLs)
Action Object: Reset/Drop
Users/Groups: Included: All
Users/Groups: Excluded: None
Schedule: Alway on
Enable flow reporting: check or uncheck
Enable Logging: Enabled by default
Log individual object content: Enable check box (recommended)
Log Redundancy Filter (seconds): Use Global Settings
Connection Side: Client Side
Direction: Both

5. Click on OK to create this policy.

Testing:

From a host behind the SonicWall, try to download an EXE file from cnet.download.com or a PDF file from microsoft.com. When the request is blocked the webpage will fail to load and the following log messages will be generated in the SonicWall logs.

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

How to Block website specific file downloads using Regular Expressions (Regex)

Description

Resolution

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch