How to block WeTransfer file upload/transfer?

04/09/2020 27 8623

DESCRIPTION:

WeTransfer is the simplest way to send files such as photos, videos, documents, etc., around the world. This KB article depicts the block of file upload or transfer via WeTransfer using App Rules feature. 

Based on the wireshark packet capture taken from the SonicWall appliance for multiple file uploads, the HTTP PUT carries the snippet  /api/v4/transfers/ on all file uploads/transfers. This piece of information is used to block the uploads. 

RESOLUTION:

1. Login to SonicWall management GUI and navigate to MANAGE tab. 

2. In the SonicWall GUI, navigate to Objects | Match Objects page in the GUI (In Classic view, navigate to Firewall | Match Objects page).

3. Click Add and select Match Object.

4. In the Match Object Settings window, specify the object fields

• Object Name: Any friendly name
• Match Object Type: HTTP URI Content
• Match Type: Partial Match
• Input Representation: Alphanumeric (Select the radio option)
• Content: Mention /api/v4/transfers/ and click ADD; the content gets populated under the List.
• Click OK

5. The Match Object gets added as shown in the screenshot below.

6. Navigate to Rules| App Rules page in the GUI (In Classic view, navigate to Firewall | App Rules page).

7. Click on Settings icon and enable the check box Enable App Rules. (A green tick mark indicates that app rule is enabled)

8. Click Add. 

 9. In the App Control Policy Settings window, specify the policy fields 

• Policy Name: A friendly name
• Policy Type: HTTP Client
• Address - Source: Any (Address Object or Address Group can be selected for which the WeTransfer file upload has to be blocked)
• Service - Destination: HTTP
• Match Object - Included: Select the Match Object that was created on Step 4
• Action Object - Included: Reset/Drop
• Enable Logging: Enable this check box
• Connection Side: Client Side
• Direction: Basic, Both
• Click OK

10. The App Rule policy gets added as shown in the screenshot below.

DPI-SSL Configuration:
11. Navigate to Decryption Services | DPI-SSL/TLS Client and to General tab.
12. Under the General Settings, enable the check box Enable SSL Client Inspection and the sub check box Application Firewall. 

13. Navigate to Objects tab, ensure the Include field is set to the corresponding IP address, Range or Subnets. By default, Include field is set to All which means DPI-SSL affects all users.

14. In the web-browser (IE or Firefox or Chrome), ensure the DPI-SSL certificate downloaded from Decryption Services | DPI-SSL/TLS Client | Certificate tab is loaded. (Click here for steps to install the DPI-SSL certificate on modern browsers.

How to Test: 

• Launch the WeTransfer website by going to https://wetransfer.com.  
• Transfer of any files from one email address to other email address should fail. 

• Logs on the SonicWall GUI should display the log event messages for the triggered app rule policy as shown in the screenshot below,