Configure SD-WAN File-Filtering Profiles
For supported software information, click here.
You can use file filtering to reduce the risk of attacks from unwanted and malicious files. File filtering blocks the transfer of potentially dangerous files, decreasing an attacker's ability to attack your organization with viruses and vulnerabilities that are associated with various types of files. File filtering is performed based on the file type and the hash of the file.
You can configure file filtering to block files based on criteria such as file type (that is, files associated with specific applications), file size, files associated with specific protocols, and files traveling in a particular direction. You can configure SHA-based hash lists of files to mark potentially dangerous files for denying, and to mark safe files for allowing. You can configure file filtering to perform reputation-based file hash lookups on a cloud server.
To configure file filtering, you configure a file-filtering profile that defines rules for filtering files that enter and leave the network and actions to take when a file does or does not meet the match conditions. You then associate the file-filtering profile with an access control security policy.
This article describes how to configure a file-filtering profile. For information on access control policies, see Configure SD-WAN Access Control Policies.
Configure a File-Filtering Profile
- In Tenant view, select Configure > Secure SD-WAN > Security > Profiles.
- Select the File Filtering tab.
- If you have not yet configured a file-filtering profile, then click Add File Filtering Profile.
- If you have configured one or more file-filtering profiles, the following screen displays. Click the + icon.
The Add File Filtering Profile workflow displays.
- In step 1, Deny & Allow List, you can configure a SHA-based list of files to allow and to deny (block) and the actions to enforce. Note that if the traffic matches both a deny list and an allow list, the action in the deny list takes precedence.
Field Description Deny List (Group of Fields) Choose which hash values and actions to deny. Action Select the default action to take when a file is detected in the deny list.
- Alert—Allow the file to pass and, if a LEF profile is configured, log the action.
- Block—Do not allow the file to pass and, if a LEF profile is configured, log the action.
- Reject—Reset the connection to the server and client and, if a LEF profile is configured, log the action.
SHA256
Click the 
Add icon to add the SHA-256 hash value of a file in the deny list. You can add more than one hash value to associate with a file in the deny list.SHA384
Click the Add icon to add the SHA-384 hash value of a file in the deny list. You can add more than one hash value to associate with a file in the deny list.Logging Enabled/Disabled Click to enable logging about files in the deny list. Allow List (Group of Fields) Choose which hash values to allow. SHA256 Click the Add icon to add the SHA-256 hash value of a file in the allow list. You can add more than one hash value to associate with a file in the allow list.SHA384 Click the Add icon to add the SHA-384 hash value of a file in the allow list. You can add more than one hash value to associate with a file in the allow list.Logging Enabled/Disabled Click to enable logging about files in the allow list. - Click Next or select workflow step 2, File Based Actions.
- If you have not yet configured a file-based action, click Add File Based Action.
- If you have configured a file-based action, the following screen displays. Click + Add.
- Enter information for the following fields.
Field Description File Based Action Name Enter a name for the file-based action. Action Select the default action to take on a file:
- Alert—Allow the file to pass and, if a LEF profile is configured, log the action.
- Allow—Allow the file to pass without logging the action.
- Block—Do not allow the file to pass and, if a LEF profile is configured, log the action.
- Reject—Reset the connection to the server and client and, if a LEF profile is configured, log the action.
File Size Enter a file size. Any file larger than this size is filtered.
Description Enter a text description for the file action. Select the Direction of Traffic to Filter Select the direction of traffic for which to apply the filter:
- Download
- Download and Upload
- Upload
Select the Type of Protocol to Filter Select the types of protocols to filter. Use the search box to find specific protocols. Check the Select All box to select all protocols. Select the Type of Files to Filter Select the types of files to filter. Use the search box to find specific file types. Check the Select All box to select all file types. - Click Save.
- Click Next or select workflow step 3, Reputation Based Actions.
- To add actions for reputation-based filtering, enter information for the following fields.
Field Description Reputation Based Actions Select the default action to take on a file:
- Alert—Allow the file to pass and, if a LEF profile is configured, log the action.
- Allow—Allow the file to pass without logging the action.
- Block—Do not allow the file to pass and, if a LEF profile is configured, log the action.
- Reject—Reset the connection to the server and client and, if a LEF profile is configured, log the action.
Cloud Lookup State Enabled/Disabled Click to enable cloud lookup of a file for its reputation. If you do not configure cloud lookup state for this profile, the cloud lookup state is inherited from the tenant Versa Operating SystemTM (VOSTM) device. Logging Enabled/Disabled
Click to enable or disable logging. - Click Next or select workflow step 4, Files & Protocols.
- To configure file decompression, enter information for the following fields. Note that file filtering can decompress only .gzip files.
Field Description File Decompression Enabled/Disabled Click to enable decompression of the files being filtered and to place them into subdirectories.
Maximum Number of Subdirectories Enter the maximum number of subdirectories. Note that a .gzip file can be decompressed only into a single subdirectory.
Range: 1 through 10
Default: 1
File Decompression Limit Select the action to take when the maximum number of decompression subdirectories is reached:
- Alert—Allow the file to pass and, if a LEF profile is configured, log the action.
- Allow—Allow the file to pass without logging the action.
- Block—Do not allow the file to pass and, if a LEF profile is configured, log the action.
- Reject—Reset the connection to the server and client and, if a LEF profile is configured, log the action.
Protocols Select one or more protocols to filter the files.
- Click Next or select workflow step 5, Action.
- Select the default action to enforce if there are no criteria matched:
- Alert—Allow the file to pass and, if a LEF profile is configured, log the action.
- Allow—Allow the file to pass without logging the action.
- Block—Do not allow the file to pass and, if a LEF profile is configured, log the action.
- Reject—Reset the connection to the server and client and, if a LEF profile is configured, log the action.
- Click Next or select workflow step 6, Review and Submit.
- In the General section, enter a name for the file-filtering profile. You can also enter a description and tags. A tag is an alphanumeric descriptor, with no white spaces or special characters, that you can use to search the objects.
- To enable logging, click the Enable Logging toggle, and then select a logging profile that indicates where to forward the logs.
- Use Default—Click to use the default logging profile.
- Custom—Click to use a custom logging profile, and then select a profile in the drop-down list. To create a custom profile, select + Create New.
- For all other sections, review the information. If you need to make changes, click the
Edit icon. - Click Save to create the file-filtering profile.
Supported Software Information
Releases 13.1.1 and later support all content described in this article.