Palo Alto

Blocking Facebook or Facebook Chat Using Palo Alto APP-ID

First i have to apologize cause this going to be a long Trip and it my fault i didn’t research it will but to deny an SSL traffic which used by facebook first you have to read what inside it, in another word (Decrypt it)

So i’m here rewrite the article again and just add the Decryption of the traffic before it forward to the intended site
First we need to create a Certificate on Firewall
Choose a name, Common name and Check the Certificate Authority
and the Certificate Attributes then Click Generate

1
Now Select the Cert to Edit and Check the Box
Forward trust Certificate
Forward Untrust Certificate
trusted Root CA
22
Then Export the Certificate as (PEM)
2
Choose Place to Save it
3
and as you see it download it in my Download Folder
4
Second i will go to my laptop to import in
Go to Tools – Internet Option – Content – Certificates5
Go to trusted Root Certification Authorities Tab – import6
Press Next
7
Browse to my Certificate8
Choose to place it in the Trusted Root Certification Authorities9
Press Finish
10
it will give you a security warning just press yes11
and import is successful
12
you can check it under the Trusted Root Certification Authorities Tab
13
Now get back to Palo Alto and Configure the Decryption Polocies
Go to Policies – Decryption – Add14
since this is a lab i will Choose Any as the Source
15
Also Choose Any as the Destination 16
i can Adjust under URL Category but since this is a lab i will configure it as Any17
Under option Tab i select the Action as Decrypt and Type SSL Forward Proxy18
Now i Check Gmail and here its Secure from my PA-CCIEROOT which is my Palo alto Common Name20
Also my facebook is Secured 21

;D

Now to the Part that everyone kept ask why Aysar it aint working
your article is worng
will i hope it work now

So as i said earlier unless you work in Marketing then you don’t need any Social Website
so Aysar Mohamed (ME) is an IT guy and i want my self to do IT Work and stop playing around the Facebook (i am sure my manager agree in  this point)so let’s do it

First go to Monitor – Logs – traffic and as you can see it full by Facebook logs by Aysar and it depend on one Application (facebook-base)

1
So let go to Policies – Security – add new (Stop facebook)91
Select the Source Zone (Inside) and Source Address (My Laptop IP Address)3
Select my user (Aysar.Mohamed)4
Select the Destination my outside interface5
then here choose the application (facebook-base) which appear in my logs90
Now Choose action to deny
92
Make sure to move this rule to the top
7
As you can see now i cant open my facebook at all and it give me this error7a
and if you go back to the logs you will see the action (reset-both)8

Now what if i want Aysar to view his Facebook but don’t want him to Chat with Anyone
Easy go back to my (Stop facebook) Policy change the APP-ID to (facebook-chat) and save9
some application can’t just stop by choosing the APP-ID you need to select also what it depend on
so highlight the rule and go to the application tab and choose facebook-chat and right click and choose (Value) to see what its Depends on.
so for facebook-chat it depends on
facebook-base
mqtt
Now If i select facebook-base it will also block facebook page Also
so here the trick
10
Add only mqtt
11
Then in my Second Rule (Aysar Allow) i will add to Alow the facebook-base12
under Application i will only add the facebook-base13
Now i can go to my facebook but as you can see my Chat is Dark (Unable to connect) 15
and as you can see in the Logs it block the facebook-chat14

;D
(let me just note this it only worked with me cause the Decryption was in the Palo Alto earlier)

Happy Friday Everyone

Advertisements
Standard

7 thoughts on “Blocking Facebook or Facebook Chat Using Palo Alto APP-ID

  1. Pingback: Blocking Youtube Using Palo Alto URL Category | Root

    • Hi Ndk sorry this was my fault but i update the Article
      as requirement to read SSL traffic and Block it is having a Decryption Policy which i Added just 10 minute ago ;D

      Like

    • Hi Rand
      sorry this was my fault but i update the Article
      Try to add the Decryption Policy which i Added in here
      and it will work perfectly
      I Hope ;D

      Like

    • Hi periodicomomentocero
      sorry this was my fault but i update the Article
      as requirement to read SSL traffic and Block it is having a Decryption Policy which i added today
      give it a try

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s