File Type Control policies enable you to create rules to restrict the upload and download of various types of files. You can capture and store traffic blocked through this policy as PCAP files. To learn more, see About Traffic Capture. You can also use the recommended File Type Control policy for guidance when configuring File Type Control policies.

To configure the File Type Control policy:

1. Go to Policies > Access Control > Internet & SaaS > File Type Control.

2. Click Add File Type Control Rule.

   The Add File Type Control Rule window appears.

3. In the Add File Type Control Rule window:
   • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, etc.), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
   • Admin Rank: This option appears if you enabled admin ranking on the Advanced Settings page. Enter a value from 0–7 (0 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s admin rank determines the value you can select in Rule Order, so that a rule with a higher admin rank always precedes a rule with a lower admin rank.
   • Rule Name: Enter a unique name for the File Type Control rule, or use the default name.
   • Rule Status: Choose to Enable or Disable the rule. An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The Zscaler service skips it and moves to the next rule.
   • Rule Label: Select a rule label to associate it with the rule. To learn more, see About Rule Label.
   • File Types: (Required) Select file types to which you want to apply the rule. You can also select Undetectable File under Other to apply the rule to unknown file types. For unknown file types, the service checks for the file type in the file header using true file type detection. If the file is still unknown, the service performs MIME type checks and tags as an unknown file type for any that fall outside of well-defined MIME types for common apps. You can select any number of file types and also search for file types.

   • URL Categories: Select the URL categories to which you want to apply the rule. The service applies the rule when users upload to or download files from sites in the selected categories. Select Any to apply the rule to all categories, or select any number of categories. You can also search for URL categories, or add a custom category by clicking the Add icon.

     You can also select custom TLD categories from this field.

   • Cloud Applications: Select any number of cloud applications or cloud application classes. Selecting no value ignores the criterion in the policy evaluation. By default, this field displays the first 100 cloud applications. The subsequent 100 cloud applications are displayed when you click the Click to see more link at the bottom of the list. You can repeat this process to view the remaining cloud applications.

     See image.

     

     Close

   • ZPA Application Segment: Select Any to apply the rule to all ZPA application segments, or select up to 255 ZPA application segments. You can also search for ZPA application segments.

     The list displays only those ZPA application segments that have the Source IP Anchor option enabled.

   • Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the Policy for Unauthenticated Traffic, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
   • Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.

   • Departments: Select Any to apply the rule to all departments, or select up to 8 departments. If you've enabled the Policy for Unauthenticated Traffic, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.

     Any rule that applies to unauthenticated traffic must apply to all Groups and Departments. So, if you have chosen to apply this rule to unauthenticated traffic for either Users or Departments, select Any from the drop-down menus for Groups and Departments.

   • Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location.
   • Location Groups: Select Any to apply the rule to all location groups, or select up to 32 location groups. You can also search for a location group.
   • Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
   • Protocols: Select the protocols to which the rule applies.
     • FTP over HTTP: Files from FTP over HTTP websites. (Requires Firewall subscription).
     • HTTP: Files from HTTP websites.
     • HTTPS: Files from HTTP websites encrypted by TLS/SSL.
     • Native FTP: Files from native FTP servers. (Requires Firewall subscription).
   • Minimum/Maximum File Size: Enter a number value between 0 and 409600 (KB) to apply a minimum and a maximum file size limit. Entering no value ignores the criteria in the policy evaluation.
   • Active Content: Enable the toggle button to apply the rule to files with active content. This criterion is applicable only to Microsoft Word, Microsoft Excel, Microsoft PowerPoint, and PDF file formats. The File Types field must be set to one of the supported file formats in order to configure this criterion.

   • Unscannable Files: Enable the toggle button to apply the rule only to files that the Zscaler service is unable to scan. This might occur if the file is in an unrecognized file format, excessive size, corrupted, or recursively compressed.

     After enabling the Unscannable Files option, the corresponding file type policy will only apply to those files that Zscaler is unable to scan. The policy will not be applied to any other file types.

   • Devices: Select the devices for which you want to apply the rule. You can also search for a device. Selecting no value ignores the criterion in the policy evaluation.

   • Device Groups: Select the device groups for which you want to apply the rule. For Zscaler Client Connector traffic, select the appropriate group based on the device platform. Select Cloud Browser Isolation or No Client Connector to apply the rule to the Isolation traffic or for traffic that is not tunneled through Zscaler Client Connector, respectively. You can also search for a device group. Selecting no value ignores the criterion in the policy evaluation.

     The Cloud Browser Isolation group is available only if Isolation is enabled for your organization.

   • Device Trust Level: Select the device trust levels (High Trust, Medium Trust, Low Trust, or Unknown) to which the rule applies. This is applicable only to Zscaler Client Connector traffic. Selecting no value ignores the criterion in the policy evaluation.

     The trust levels assigned to the devices are based on your posture configurations in the Zscaler Client Connector feature.

   • Action: Choose to Allow, Block, or Caution users from uploading or downloading files.

     If Traffic Capture is enabled, the Capture option appears when Block is selected. Captured traffic is stored in PCAP files for later analysis. To enable Traffic Capture for this policy, see Configuring Traffic Capture.

   • Upload/Download: Choose whether the specified action applies to uploading files, downloading files, or both.
   • Description: Optionally, enter additional notes or information. The description cannot exceed 10,240 characters.
4. Click Save and activate the change.