Hardware Firewalls
--
Questions
--
Followers
Top Experts
Watchguard proxy deny executables
I have a Watchguard firewall that I'm trying to block executables from being downloaded on.
If I allow application/octet-stream under "Content Types" so that users can download PDF, word, and excel documents from their webmail, then executables (EXE) appear to be allowed on that Watchguard proxy.
How can I allow application/octet-stream and deny executables.?
If I allow application/octet-stream under "Content Types" so that users can download PDF, word, and excel documents from their webmail, then executables (EXE) appear to be allowed on that Watchguard proxy.
How can I allow application/octet-stream and deny executables.?
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
normally .exe files are denied by default in a proxy.
You should also look into the https proxy in case this is a ssl webmail.
You should also look into the https proxy in case this is a ssl webmail.
If you need to allow application/octet-stream only from one/few specific sites, then you can configure as below:
1. Your current HTTP proxy service with application/octet-stream denied.
2. Create new HTTP proxy or create copy of above [so you would not need to configure from scratch] and then allow application/octet-stream content type and configure as, Enabled and Allowed; from any-trusted [or specific alias/subnet/hosts]; to specific-public-ip-of-webs
Now only for website having their public IP in step 2 would have application/octet-stream allowed; rest sites would have application/octet-stream blocked.
Note that service created at 2 must be placed higher in order than 1; so that it gets hit first.
Please implement and update.
Thank you.
1. Your current HTTP proxy service with application/octet-stream denied.
2. Create new HTTP proxy or create copy of above [so you would not need to configure from scratch] and then allow application/octet-stream content type and configure as, Enabled and Allowed; from any-trusted [or specific alias/subnet/hosts]; to specific-public-ip-of-webs
Now only for website having their public IP in step 2 would have application/octet-stream allowed; rest sites would have application/octet-stream blocked.
Note that service created at 2 must be placed higher in order than 1; so that it gets hit first.
Please implement and update.
Thank you.
dpk wal,
Your post sparked an idea that might be my solution but is still quite frustrating
To keep things simple, why don't I just add proxy exceptions in my current HTTP-Proxy_OUT and turn off the application/octet-stream globally.
I'm discouraged that to allow PDF file downloads, I have to allow application/octet-stream at all. Â This is quite frustrating as that is also the application type for executables. Â Doesn't make sense to me.
We have alot of users that randomly research on the web and view alot of PDF type documentation. Â This would keep me chasing my tail making exceptions every time someone is doing a google search for documentation on certain product offerings. Â Typically PDF documents in alot of cases.
Your post sparked an idea that might be my solution but is still quite frustrating
To keep things simple, why don't I just add proxy exceptions in my current HTTP-Proxy_OUT and turn off the application/octet-stream globally.
I'm discouraged that to allow PDF file downloads, I have to allow application/octet-stream at all. Â This is quite frustrating as that is also the application type for executables. Â Doesn't make sense to me.
We have alot of users that randomly research on the web and view alot of PDF type documentation. Â This would keep me chasing my tail making exceptions every time someone is doing a google search for documentation on certain product offerings. Â Typically PDF documents in alot of cases.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
If file extension is enough for you you, allow more content-type and filter by file extension
If not let me know and I can provide you some content-type that filter most executable.
If not let me know and I can provide you some content-type that filter most executable.
Hardware Firewalls
--
Questions
--
Followers
Top Experts
Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.