Block uploading files to Google Drive but allow viewing and downloading files
search cancel

Block uploading files to Google Drive but allow viewing and downloading files

book

Article ID: 168439

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Users should not be allowed to upload files to Google Drive but should be allowed to view, navigate, and download files from Google Drive.

 

Environment

Please make sure the request to Google Drive is being SSL intercepted in the policy.

Policy works for Explicit Deployment on all browsers.

Policy does not work for Chrome browser for Transparent Deployment, because Chrome browser uses QUIC protocol to upload files to Google Drive. You may be able to disable QUIC protocol in the browser as a workaround/solution. This document lists the steps to disable QUIC protocol 

Resolution

  1. Launch Visual Policy Manager (VPM)
  2. a. Policy > Add Web Access Layer..., give a name to the new Web Access Layer and click on Add rule OR b. To add a rule to an existing Web Access Layer, go to that Layer and click on Add rule
  3. Source: Set the source (client IP or Group or Any)
  4. Leave out Service
  5. Time: setup the time restriction if needed
  6. Action = Deny
  7. Create a new Combined Destination Object:

    Destination: Set > New... > Combined Destination Object..., give a name to the Object (e.g. BlockGoogleDriveUploading)

    a. Create the following Objects with the Destination as follows (on the left window): 

  •         New... > Request URL... > Simple Match/URL: drive.google.com > Add

  •         New... > Request URL... > Simple Match/URL: docs.google.com > Add

  •         New... > Request URL... > Simple Match/URL: clients1.google.com > Add

  •         New... > Request URL... > Simple Match/URL: clients2.google.com > Add

  •         New... > Request URL... > Simple Match/URL: clients3.google.com > Add

  •         New... > Request URL... > Simple Match/URL: clients4.google.com > Add

  •         New... > Request URL... > Simple Match/URL: clients5.google.com > Add

  •         New... > Request URL... > Simple Match/URL: clients6.google.com > Add

  •         New... > Request URL... >  Regular Expression Match/RegEx: upload > Add

b. Locate the objects created above on the left panel, and Add >> to the right upper panel (Only 4 objects are shown added in the screen shot below; 4 shown may be enough if not add all 8 except the last one with 'RegEx: upload').

c. Locate the Request URL: upload(RegEx) on the left panel, and Add>> Request URL: upload(RegEx) to the right lower panel. 

        This rule will will match all requests going to URLs on the top panel and that includes 'upload' somewhere in the URL. 

 

8. Click OK and Install Policy.

 

Note: 

You may notice this rule might not work in some scenarios for example if the customer is using  http/2 protocol. 

You will be able to see this using a developers tool in the browser. 

In versions prior to SGOS 7.1, the only way to make this rule work is to disable the browser from using http/2 which will then use http. If that is not an option then we can only block clients6.google.com which will include downloading as well.

Powered by Wolken Software