Which security policy rule will allow an admin to block facebook chat but allow facebook in general?

The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

A. 6-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Protocol, and Source Security Zone

B. 5-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Protocol

C. 7-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Source User, URL Category, and Source Security Zone

D. 9-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application, and URL Category

Hello,

We want to block Facebook Chat  attachment downloads/uploads. Our CP has TLS inspection enabled.

Therefore we have created a Rule in App Control & URL Filtering and in Column Service and we have added "facebook-transfer" in the column of "Services". That way we managed to block attachment uploads, but not attachment downloads.

Is it possible to somehow block Facebook Chat downloads ? That is, I want our users to not be able to download or upload any attachments from Facebook webpage, but be able to chat.

Regards

This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy

how to allow the access face book , but block the other social networking sites

Hi,

I am testing paloalto firewall and have a basic question.

How to enable access
to face book to some users , but block the other social networking sites.

I setup a default policy to all users and my default URL policy
is to blocked social networking. Then I created another policy for  a group of people, and on application level
choose face book and  action allow.  Well, If I choose no profile for URL the rule
allow everything. If I choose default url profile,  facebook is blocked since social –networking is
blocked .  What am I missing here?

• policy
• url_filtering

• All forum topics
• Previous Topic
• Next Topic

7 REPLIES 7

You can do the following steps

1)set up a default policy to all users and default URL profile A to block social networking sites.

2) create another policy on the top of the default policy and create another URL profile B and apply this profile to the security policy. In this URL profile block all the social networking websites and in the allow list type this *.facebook.com/*. This will allow only facebook and will block all other social media sites to these users.

The tricky part with Facebook is that they dont only use *.facebook.com but also other domains incl. CDN.

I think I would set it up like:

Rule1) Deny url:Social Networking except custom_facebook.

Rule2) Deny appid:facebook-apps (you can ignore this rule if you wish to allow everything that has to do with facebook).

Rule3) Allow appid:facebook,ssl,web-browsing, url:custom_facebook (where you add *.facebook.com and the other domains needed).

I think in PANOS-5.x the dependencies will be improved so I hope you wont need ssl and web-browsing any longer if you want to just allow facebook (as example), so keep track of this once 5.x is out.

The downside of app-dependencies is that you are (in this example) forced to allow web-browsing, so rule1 should be extended to cover all the other urls you dont wish to allow (that has to do with social networking).

That is because if the traffic is being recognized as something else in the app-db it will be blocked (something identified as youtube will not be allowed with the above rules) - however "unknown http" will most likely be identified as web-browsing and that will be allowed through which gives that url-filtering is the only way to block that hole (since acting on dstip just wont be practically to handle).

Dont forget to enable SSL-termination aswell (so you can inspect and block stuff that goes over SSL even if the PA box can block some traffic even without SSL-termination by looking at the CN field of the certs sent by the server).

Edit: Oops, got the rules in wrong order 😃

1. I thought it could be done on application access. However,
   does it mean in this case I have to clone default rule policy every time I need
   to create another policy.

I setup a default policy to all user and  with default URL  profile, profile A, which blocks several URL
categories.  Also I have several websites
on allow and block list.

If I  create another policy B on the top of  the default policy A (as per your suggestion) and assign that policy  to one or more users it will be their default profile, correct?  In that case cloning default policy and adding face book to allow list makes a sense.

However, what will happen if I need to create another policy C which will allow access  to Twitter,but block  all other social networking website. If I follow the same example and create policy C on the top of the policy B  and assign it to one of the user who  is already assigned to policy Bhe will lose the access to  Face Book.  If that is correct, does it  mean  I need to create another policy which will allow Face Book and Twitter?  If that is the case  I can easily have hundreds rules.

I was hoping it can be done by creating a policy which will allow an application access ignoring URL category and url allow and block lists.

I am doing the evaluation and I  do not have too much time. I thought access to Face book , would be something really easy. When you mentioned SSL termination,I guess I will need the cert for that. At his moment , I cannot use my CA for testing. What would be the steps to generate  the cert from the box ?

A single rule cannot allow and deny at the same time.

If you have hundred users where each user is only allowed to visit a specific site then yes you will end up with hundred rules such as:

1) Allow user:a, url:a.

2) Allow user:b, url:b.

...

101) Deny and log.

PA uses "top-down first-match" which gives that you can group rules and generally speaking your allow rules should be as narrow as possible while deny rules should be as wide as possible.

So if you wish to allow both url:a and b to user:a and b there is no need to use two rules when you in this case can do:

1) Allow user:a,b, url:a,b

X) Deny and log.

You can use openssl to create a selfsigned cert where both the cert and private key is uploaded to the PA device, and then you configure the ssl termination settings (which traffic should be terminated and which cert to use).

Then you load the client with the cert (NOT the private key

Edit: More info of ssl termination:

Regarding openssl http://www.akadia.com/services/ssh_test_certificate.html

#openssl genrsa -des3 -out server.key 4096

#chmod 400 server.key

#openssl req -new -key server.key -out server.csr

#openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Install server.key and server.crt in the PA box and server.crt as trusted CA on the client.

Thanks, I will try it tomorrow and see what will actually work for me.

Copyright 2007 - 2022 - Palo Alto Networks