Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

TZ470w - URI lists and GAV

Simon_WeelSimon_Weel Newbie ✭
edited September 26 in Firewall Security Services

The website https://ambientcg.com/ contains all kinds of bitmaps. When we try to download a ZIPped bitmap, it's blocked by GAV since we have Block files with multiple levels of zip/gzip compression enabled. So I made an address object for the aforementioned website and added that to the group allowed exclusions for GAV. That didn't seem to work. Turns out the bitmaps come from a CDN: cdn3.struffelproductions.com/file/ambientCG/download. So I created a URI list object with this name and added it to a group for allowed URI's:


And added that group to the CFS Default Profile:


Unfortunately, this doesn't seem to work. Files are still intercepted by GAV:


How to get this site to bypass GAV?

Category: Firewall Security Services
Reply

Answers

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @Simon_Weel

    Exclude those URL/FQDN address object from GAV.


  • Simon_WeelSimon_Weel Newbie ✭
    edited September 27

    @Ajishlal : Yes, that would work. Thing is, more and more websites host their data on a CDN. Bypassing a whole CDN means all data from that CDN bypasses GAV. You don't want that. So that's where the URI comes into play - it gives a more granular means of bypassing GAV for just a part of a CDN.

    Since that doesn't seem to work, I wonder in which order the firewall processes the security policies. It looks like GAV has the last word, regardless the URI allow list in the CFS profile. That, or I'm doing something wrong....

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @Simon_Weel

    As per your firewall log. It's blocking by the GAV & that's why i suggested to exclude if its legitimate fqdn for downloading the zip.

    The zip block is defined in the GAV policy so you would have to exclude from that policy only if you want to download the particular zip file.

  • Simon_WeelSimon_Weel Newbie ✭
    edited September 27

    @Ajishlal : I understand, but IMO you seem to miss the point? I don't want to exclude the whole domain in case of a CDN. It's like giving carte blanche to all (mis)users of that CDN. By using an URI, you can pinpoint just a fraction of a CDN. My thought was that URI's on the allow list would not be blocked by any service. That doesn't seem to be the case. And unfortunately, the allow list for, as example, the GAV Service, only accepts domain names / IP-addresses. You can't use URI Lists to be excluded from GAV.

    Maybe I should rephrase the question: How can I exclude part of a domain in GAV?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Simon_Weel if you have DPI-SSL running, you could create a Match Object for the URL in question, create an App Rule for it and use the default Action Bypass GAV, that should do the trick.

    --Michael@BWC

  • Simon_WeelSimon_Weel Newbie ✭
    edited September 27

    @BWC : tried it. Won't budge. Created a Match Object:

    NB: tried different 'Match Object Types' like HTTP URL and HTTP Host. Also tried all different 'Match Types'.

    Then made an App Rule policy:

    Doesn't work. As soon as I switch off DPI SSL, I can download files without problems. Which makes sense, since in that case the firewall no longer performs any security service at all.

    DPI SSL settings:


    I'm at a loss. I just don't know how to get this working.....

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Simon_Weel I tried to reproduce, but no download gave me that GAV block. Does it happen for any download you try?

    --Michael@BWC

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @Simon_Weel

    I did the test with my Gen6 unit & its working. Downloaded the zip file without any issue and i didn't exclude the CDN or FQDN.

    GAV Configuration:

    DPI-SSL Configuration:

    I dont have Gen7 unit with DPI-SSL to do the test.

  • @BWC : yes, for this particular site it doesn't matter what file I try to download. They're all blocked by GAV.

    @Ajishlal : your settings are pretty much the same as mine? Which only adds to the question why it doesn't work for me....

    If I switch off Block files with multiple levels of zip/gzip compression I can download without problem. Also makes sense - most of the files on that site are jpg files, which is a form of ZIP. I guess the site owner wants to shave off a couple of bytes by ZIPping the bitmaps. And thus they become a multi-level zip-file.

    Forgot to mention we also have Capture ATP, which for the time being I have set to Allow file download while awaiting a verdict.

    Could this be a bug in the firewall? It runs version SonicOS 7.0.1-5080

Sign In or Register to comment.