How a Rule Set for Media Type Filtering Works
You can create your own rules for media type filtering using the Rule Builder. You can insert these rules in the default rule set for media type filtering or in a rule set that you also create on your own.
In the following, a rule set for media type filtering with rules that are created using the Rule Builder is shown and explained.
Types of Rules
The rules in this rule set can be categorized with regard to their types as follows:
-
Block rules — Rules for blocking media types that you consider a threat to web security, for example, executables
To let a block rule know what to block, you configure suitable criteria, for example, File extension. If the extension of a file is .exe, the file is recognized as an executable and blocked.
When the block action has been executed, processing stops. Once a request has been blocked, there is no need to block it in another processing cycle or by another rule that follows in the same rule set or another rule set that follows in your web policy.
In the default rule set for media type filtering, blocking media types is configured in a different way. You select the media types you want to block from a catalog and enter them in a block list. You can block uploads and downloads of media types. - Exception rules — Rules for blocking or allowing access to media types in some cases, for example, for allowing archive downloads if the download request is sent by a particular client
To let an exception rule know what exception to make, you configure a complex rule condition, which includes two or more simple conditions.
For example, you configure a condition with the Media Type from Header criteria that matches if the media type is application/archives. For the second condition, you configure Client IP and let it match if an IP address of a client is in a bypass list.
You combine both conditions by AND. This means that a request is only allowed if both conditions match. It must be a request to access an archive file, and it must have been sent from a client with an IP address that is in the bypass list.
When the bypass action in an exception rule has been executed, processing stops. This ensures that a request that is allowed by this rule cannot be blocked in another processing cycle or by another rule that follows in the same rule set or another rule set that follows in your web policy.
The default rules for media type filtering do not rely on the concept of allowing exceptions. When working with them, you cannot configure complex conditions.
The default rules block the media types that are in the lists they use without exceptions. On the other hand, they allow all media types that are not in their lists. -
Catch-all rule — A rule at the end that stops processing of this rule set. If a request has not been blocked or allowed by any of the preceding rules, it is not blocked or allowed by this rule either.
Processing continues with the next rule set on the policy tree. A request that has passed through all rule sets so far, including this rule set for media type filtering, might still get blocked by a rule in the next rule set.
Rule Set
The table below shows a rule set with rules for media type filtering that you can create using the Rule Builder. Rule events, which are optional when creating rules, are not covered.
Name | Criteria | Operator | Value | Action | Remarks |
---|---|---|---|---|---|
Block executables | File extension | is | .exe | Block request | The criteria in this rule is processed to get the extension of a file name in a URL sent with a request to access the file. The extension is delivered in string format. If this string is .exe, the request is blocked. Processing the criteria relies on information retrieved in the request cycle. This is a block rule that prevents users from accessing executables. There is no exception to this rule. When the block action has been executed, rule processing stops. It is no use to continue with processing to see if the request would also be blocked by another rule. |
Allow some clients to download archives | Media type from header AND Client IP |
is is in |
application/ archives List of Allowed Clients |
Bypass | The criteria in the first condition of this rule is processed to find the media type of a file that is sent by a web server in response to a download request. To find this media type, the Content-Type header of the response is evaluated. The media type is delivered in MIME type format. The criteria in the second condition is processed to get the IP address of the client that sent the download request. If the media type of the requested file is application/archives and the client IP address is found in a bypass list, both conditions match, and the download request is allowed. Processing the criteria in this rule relies on information retrieved in the request and response cycles. The client IP address is already known in the request cycle. For the media type, processing uses the header information that is available in the response cycle. This is an exception rule that allows archive downloads from some clients. When the bypass action has been executed, rule processing stops. This ensures that the request cannot be blocked by any following rule. |
Block archive uploads requested by some users | Body file name AND User groups |
matches overlaps |
*.zip List of Blocked User Groups |
Block request | The criteria in the first condition of this rule is processed to find the name of a file that was sent as the body of an upload request. To find this name, the file itself is first evaluated. If the name cannot be found there, the Content-Disposition header of the request is evaluated, and then the URL that was sent with the request. The file name is delivered in string format. If it matches the Regex term *.zip, the file is recognized as an archive, which also means that this condition matches. The criteria in the second condition is processed to find the user groups for the user who submitted the request. If there is an overlap between the list with these user groups and a block list for user groups, the second condition matches. If both conditions match, the request is blocked. Processing the criteria in this rule relies on information retrieved in the request cycle. This is a block rule for archive uploads that blocks these uploads only for some users. There is no need to let this rule be followed by a rule that allows archive uploads for all other users. If a request for an archive upload is sent by a user who is not in one of the blocked user groups, none of the rules in this rule set will apply, which means the request will pass through. It is not blocked by the rules in the media type filtering rule set then but can still be blocked by a rule in one of the rule sets that follow, for example, by a rule in the Anti-Malware rule set. When the block action has been executed, rule processing stops. It is no use to continue with processing to see if the request would also be blocked by another rule. |
Allow access to some media types | Ensured media types | overlaps | List of Allowed Media Types | Bypass | The criteria in this rule is processed to find the media type of a file sent by a web server in response to a request by a user. To find this media type, the magic bytes and other signatures of the file are evaluated. The media type is delivered in MIME type format. If there is an overlap between the list of media types that is the result of processing the criteria and the list of allowed media types that is specified as the value of the rule condition, the request is allowed. The file that the server sent is then passed on to the user. Processing the criteria relies on information retrieved in the response cycle. When the bypass action has been executed, rule processing stops. This ensures that the request cannot be blocked by any following rule. |
Stop media type filtering process | All traffic | Stop ruleset | This is a catch-all rule that stops the media type filtering process. If a request has not been blocked or allowed by any of the preceding rules in this rule set, it is not blocked or allowed by this last rule either. The All traffic criteria is configured here to ensure that this catch-all rule applies to all web traffic that is directed to Secure Web Gateway. Processing continues with the next rule set on the policy tree, which might, for example, be a malware filtering rule set. A request that has passed through all rule sets on the policy tree so far, including this rule set for media type filtering, might still get blocked by a rule in the next rule set. For example, if a user requests the download of a file, this file might not conflict with the rules of your web policy regarding its media type. But if it is found to be malware-infected, it will still be blocked and not passed on the user. |