Table of ContentsView in Frames

Configuring native file blocking

To configure native file blocking, you create a policy and then configure it with a list of file extensions to block.

Before you begin

The CIFS protocol needs to be licensed and configured.

Steps

  1. Create a file policy by using the following CLI command: fpolicy create PolicyName Policytype
    Example

    To create a screening policy named "mp3blocker", enter the following command: fpolicy create mp3blocker screen

    FPolicy creates the file policy with the specified policy name, using the screen policy type.
  2. Configure the policy to monitor the mp3 extension by entering the following command: fpolicy extensions include set PolicyName ext-list
    Example
    To configure the policy to monitor the mp3 extension, enter the following command: fpolicy extensions include set mp3blocker mp3
  3. Set the operations and protocols monitored by the policy by entering the following command: fpolicy monitor {add|remove|set} PolicyName [-p protocols] [-f] op-spec

    PolicyName is the name of the policy that you want to add operations to.

    protocols is the set of protocols that you want to enable monitoring for. Use cifs to monitor CIFS requests, nfs to monitor NFS requests, or cifs,nfs to monitor both.

    -f forces the policy to be enabled even if there are no servers available to enforce the policy.

    op-spec is the list of operations you want to add.

    Example

    To replace the mp3blocker policy list of operations monitored for CIFS and NFS operations, enter the following command: fpolicy monitor set mp3blocker -p cifs,nfs create,rename

    Specify the create option to prevent creation of mp3 files. In addition, to ensure that an mp3 file is not copied onto the storage system with a different extension and renamed, also specify the rename option.

    This CLI command sets specific operations to be monitored.
  4. To enable mandatory screening, set the required option to on: fpolicy options PolicyName required on
    Example
    To enable mandatory screening on the mp3blocker policy, enter the following command: fpolicy options mp3blocker required on
    This CLI command makes file screening mandatory before the files can be accessed.
  5. Enable the FPolicy feature by entering the following command: fpolicy enable PolicyName [-f]
    Example

    To enable the FPolicy mp3blocker, enter the following command: fpolicy enable mp3blocker

    This CLI command enables the file policy.

Result

After completing the steps, if a client tries to perform an operation that uses a blocked file, the operation fails and a STATUS_ACCESS_DENIED error code is sent.