Palo Alto

Blocking Facebook or Facebook Chat Using Palo Alto APP-ID

First i have to apologize cause this going to be a long Trip and it my fault i didn’t research it will but to deny an SSL traffic which used by facebook first you have to read what inside it, in another word (Decrypt it)

So i’m here rewrite the article again and just add the Decryption of the traffic before it forward to the intended site
First we need to create a Certificate on Firewall
Choose a name, Common name and Check the Certificate Authority
and the Certificate Attributes then Click Generate

Now Select the Cert to Edit and Check the Box
Forward trust Certificate
Forward Untrust Certificate
trusted Root CA
Then Export the Certificate as (PEM)
Choose Place to Save it
and as you see it download it in my Download Folder
Second i will go to my laptop to import in

Go to Tools – Internet Option – Content – Certificates
Go to trusted Root Certification Authorities Tab – import6
Press Next
Browse to my Certificate
Choose to place it in the Trusted Root Certification Authorities9
Press Finish
it will give you a security warning just press yes11
and import is successful
you can check it under the Trusted Root Certification Authorities Tab
Now get back to Palo Alto and Configure the Decryption Policies
Go to Policies – Decryption – Add14
since this is a lab i will Choose Any as the Source
Also Choose Any as the Destination 16
i can Adjust under URL Category but since this is a lab i will configure it as Any17
Under option Tab i select the Action as Decrypt and Type SSL Forward Proxy18
Now i Check Gmail and here its Secure from my PA-CCIEROOT which is my Palo alto Common Name20
Also my facebook is Secured 21


Now that was the Part that everyone kept ask why Aysar it ain’t working
your article is wrong
will i hope it work now

So as i said earlier unless you work in Marketing then you don’t need any Social Website
so Aysar Mohamed (ME) is an IT guy and i want my self to do IT Work and stop playing around the Facebook
(i am sure my manager agree in  this point) so let’s do it

First I need to tell you when using Application you need to be careful what you choose
you can select application using Category, Subcategory, technology, Risk and Characteristics
sometimes you see if you choose based on Risk level 5 which is the hardest you could break google drive
and if you use the application using Characteristic and choose Vulnerability you could break SIP so Review everything.

Now go to Monitor – Logs – traffic and as you can see it full by Facebook logs by Aysar and it depend on one Application (facebook-base)

So let go to Policies – Security – add new (Stop facebook)91
Select the Source Zone (Inside) and Source Address (My Laptop IP Address)3
Select my user (Aysar.Mohamed)4
Select the Destination my outside interface5
then here choose the application (facebook-base) which appear in my logs
sometimes you need to add
(Web Browsing), (SSL) & (DNS)
Now Choose action to deny
Make sure to move this rule to the top
As you can see now i cant open my facebook at all and it give me this error7a
and if you go back to the logs you will see the action (reset-both)8Now what if i want Aysar to view his Facebook but don’t want him to Chat with Anyone
Easy go back to my (Stop facebook) Policy change the APP-ID to (facebook-chat) and save9
some application can’t just stop by choosing the APP-ID you need to select also what it depend on
so highlight the rule and go to the application tab and choose facebook-chat and right click and choose (Value) to see what its Depends on.
so for facebook-chat it depends on
Now If i select facebook-base it will also block facebook page Also
so here the trick
Add only mqtt
Then in my Second Rule (Aysar Allow) i will add to Alow the facebook-base12
under Application i will only add the facebook-base13
Now i can go to my facebook but as you can see my Chat is Dark (Unable to connect) 15
and as you can see in the Logs it block the facebook-chat14

(if you need to check list of App-id you can use, go to Object tab – application)

Happy Friday Everyone


7 thoughts on “Blocking Facebook or Facebook Chat Using Palo Alto APP-ID

  1. Pingback: Blocking Youtube Using Palo Alto URL Category | Root

    • Hi Ndk sorry this was my fault but i update the Article
      as requirement to read SSL traffic and Block it is having a Decryption Policy which i Added just 10 minute ago ;D


    • Hi Rand
      sorry this was my fault but i update the Article
      Try to add the Decryption Policy which i Added in here
      and it will work perfectly
      I Hope ;D


    • Hi periodicomomentocero
      sorry this was my fault but i update the Article
      as requirement to read SSL traffic and Block it is having a Decryption Policy which i added today
      give it a try


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s