Troubleshooting File Blocking: Log Verification

Scenario: An administrator configured a File Blocking profile with action set to "Block" and applied it to a Security Policy rule. A Linux command-line user reports that their download of a .tar file is failing, but they see no error message in their terminal.

Question: Where should the administrator look in the firewall logs to verify if the File Blocking profile is the cause?

Correct Log Location

📘 Explanation

Palo Alto Networks firewalls categorize different types of security events into specific logs for easier analysis. When troubleshooting issues related to files being blocked based on their type (as configured in a File Blocking profile), the correct log to examine is the Data Filtering log .

The Data Filtering log specifically records events related to:

File Blocking: Actions taken (Block, Alert, Continue) based on matching file types defined in a File Blocking profile.
Data Pattern Matching: Actions taken based on sensitive data patterns (like credit card numbers or custom patterns) defined in Data Filtering profiles.

When a file transfer matches a File Blocking profile rule with the action set to "Block", an entry will be generated in the Data Filtering log detailing:

The specific file type identified (e.g., `tar`).
The transfer direction (upload/download).
The Security Policy rule that the traffic matched.
The File Blocking profile that was applied.
The action taken (in this case, `block`).
Source/Destination IP addresses, User (if available), Application, etc.

Why no user error? When the File Blocking action is set to "Block" (and a custom block page isn't configured or applicable, like for a CLI download), the firewall simply drops the packets associated with the file transfer. This often results in the client-side application (like `wget` or `curl` on Linux) eventually timing out or failing without receiving a specific "blocked by firewall" error message.

Why Other Logs Are Incorrect

Threat log

❌ Records security threats detected by signature-based engines like Anti-Virus, Anti-Spyware, and Vulnerability Protection. It focuses on exploits and known malware signatures, not policy-based blocking of specific file types.

WildFire Submissions log

❌ Tracks files that were forwarded to the WildFire cloud service for dynamic analysis (sandboxing) to detect unknown malware. While related to files, it logs the *submission* event, not the *blocking* event based on file type policy.

URL Filtering log

❌ Records web access events based on URL categories or custom URL lists defined in URL Filtering profiles. It controls access to websites, not the types of files being transferred over allowed connections.