How to Block website specific file downloads using Regular Expressions (Regex)
03/26/2020 14 13523
You can configure regular expressions in certain types of match objects for use in App Rules policies. The Match Object Settings page provides a way to configure custom regular expressions.
This article describes how to use Match Object type HTTP URL with custom regular expressions and then to create a matching App Rule policy to block file downloads from a website.
These are the example I use here. These are for blocking downloads of files with extensions PDF and EXE from cnet.com and microsoft.com. You could change the expression to match the website and the file extension you wish to block.
download.microsoft.com/download/([dD]+).pdf: This will block this URL - http://download.microsoft.com/download/5/2/E/52E4291F-A34B-42F5-BAEA-EB23381CB112/SC%202012%20Overview%20Datasheet.pdf
software-files-[a-zA-z].cnet.com/([dD]+).exe([dD]+): This will block this URL- http://software-files-a.cnet.com/s/software/13/86/35/33/ccsetup419.exe?token=1416329507_fdbdb157ce5d375e97fc5b899f832b24&fileName=ccsetup419.exe
Create Match Object for URLs to be blocked
1. Login to the management interface of the SonicWall UTM appliance 2. Navigate to the Firewall | Match Objects page. 3. Click on Add New Match Object to open the Add/Edit Match Object window. 4. Enter a name for the match object. For example,File Downloads 5. SelectHTTP URL under Match Object Type 6. SelectMatch Type asRegex 7. SetInput Representation as Alphanumeric 8. UnderContent, enter the URL with regular expressions of the page you want to block. See examples above. 9. Click on Add after each entry. 10. Click on OK to save.
Create App Rules policy
1. Navigate to the Firewall | App Rules page. 2. Enable the check-box Enable App Rules. 3. Click on the Add New Policy button to open the Edit App Control Policy window. 4. Set the App Rules policy with the following values:
Policy Name: Block File Downloads (or any name)
Policy Type: HTTP Client
Address: Any (These are IP addresses to be included)
Service: Source Any
Service: Destination HTTP
Exclusion Address: None
Match Object:Included: Set the HTTP URL Match Object with regex content created earlier.
Match Object:Excluded: None (This is for setting excluded URLs)
Log Redundancy Filter (seconds): Use Global Settings
Connection Side: Client Side
5. Click on OK to create this policy.
From a host behind the SonicWall, try to download an EXE file from cnet.download.com or a PDF file from microsoft.com. When the request is blocked the webpage will fail to load and the following log messages will be generated in the SonicWall logs.