The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: Blocking HTTP Downloads

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


There is no utterly fool-proof way to filter HTTP downloads. MIME-types are generally the most effective, but require a CVP server for proper implementation. You can filter based on extension, but you might also catch legitimate page queries that use .exe in the URL. People can also use different extensions for files, which can get around these restrictions.

If you want to try this anyway, create a resource. The URI Definition window would have the following in the "Match" tab:

Schemes: HTTP
Methods: GET
Host:    *
Path:    {*/*.{exe,zip,bin},*.{exe,zip,bin}}
Query:   *

Note that I've inclded exe, zip, and bin extensions. You can add your own as you see fit.

You would then create a rule that uses this resource (which I've called downloads below) and denies access to anything matching this resource (note this rule should show up before your rules that allow general HTTP access):

SourceDestinationServiceAction
Internal-Net Any http->downloads Reject

If you want to restrict access by user group, the rules look like:

SourceDestinationServiceAction
[email protected] Any http->bad-file-types User Auth
internal-net Any http->bad-file-types Reject
[email protected] Any http User Auth

Once a packet could potentially match a user auth rule, the packet is then allowed by the "least restrictive" rule. It is therefore important that the "allowed user atuh" rule appears before the deny access rule.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.