How to Block website specific file downloads using Regular Expressions (Regex)
03/26/2020 
13 
12116
DESCRIPTION:
You can configure regular expressions in certain types of match objects for use in App Rules policies. The Match Object Settings page provides a way to configure custom regular expressions.
This article describes how to use Match Object type HTTP URL with custom regular expressions and then to create a matching App Rule policy to block file downloads from a website.
These are the example I use here. These are for blocking downloads of files with extensions PDF and EXE from cnet.com and microsoft.com. You could change the expression to match the website and the file extension you wish to block.
- download.microsoft.com/download/([dD]+).pdf: This will block this URL - http://download.microsoft.com/download/5/2/E/52E4291F-A34B-42F5-BAEA-EB23381CB112/SC%202012%20Overview%20Datasheet.pdf
- software-files-[a-zA-z].cnet.com/([dD]+).exe([dD]+): This will block this URL- http://software-files-a.cnet.com/s/software/13/86/35/33/ccsetup419.exe?token=1416329507_fdbdb157ce5d375e97fc5b899f832b24&fileName=ccsetup419.exe
RESOLUTION:
Create Match Object for URLs to be blocked
1. Login to the management interface of the SonicWall UTM appliance
2. Navigate to the Firewall | Match Objects page.
3. Click on Add New Match Object to open the Add/Edit Match Object window.
4. Enter a name for the match object. For example,File Downloads
5. Select HTTP URL under Match Object Type
6. Select Match Type as Regex
7. Set Input Representation as Alphanumeric
8. Under Content, enter the URL with regular expressions of the page you want to block. See examples above.
9. Click on Add after each entry.
10. Click on OK to save.
Create App Rules policy
1. Navigate to the Firewall | App Rules page.
2. Enable the check-box Enable App Rules.
3. Click on the Add New Policy button to open the Edit App Control Policy window.
4. Set the App Rules policy with the following values:
- Policy Name: Block File Downloads (or any name)
- Policy Type: HTTP Client
- Source: Any
- Destination: Any
- Address: Any (These are IP addresses to be included)
- Service: Source Any
- Service: Destination HTTP
- Exclusion Address: None
- Match Object:Included: Set the HTTP URL Match Object with regex content created earlier.
- Match Object:Excluded: None (This is for setting excluded URLs)
- Action Object: Reset/Drop
- Users/Groups: Included: All
- Users/Groups: Excluded: None
- Schedule: Alway on
- Enable flow reporting: check or uncheck
- Enable Logging: Enabled by default
- Log individual object content: Enable check box (recommended)
- Log Redundancy Filter (seconds): Use Global Settings
- Connection Side: Client Side
- Direction: Both
5. Click on OK to create this policy.
Testing:
From a host behind the SonicWall, try to download an EXE file from cnet.download.com or a PDF file from microsoft.com. When the request is blocked the webpage will fail to load and the following log messages will be generated in the SonicWall logs.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
