topic Re: zenmate application in Custom Signatures

zenmate application

Rameshwar — Thu, 14 Sep 2017 16:35:18 GMT

zenmate application is available in PA app but it is not blocking the traffic ,

tried using the URL based but pcap doesnt show any URL

tried to block through client hello SNI but no lcuk ....

please advise how i can block this on PA

app name - zenmate - browser based proxy

Re: zenmate application

bpappas — Thu, 14 Sep 2017 17:43:37 GMT

If a known App-ID is not working as expected you should definitely open a support case to troubleshoot.

Given that this is an encrypted, evasive VPN/proxy app I'm not sure how effective a custom signature would be.

Benjamin

Re: zenmate application

pulukas — Mon, 18 Sep 2017 10:13:14 GMT

I"m not sure, but it sounds like you might be applying the app-id rule for encrypted traffic without setting up the decryption rule. In order to apply inspected polcies on ssl traffic you will need to decrypt the the traffic first. As you noted things like the url are not visible in the encrypted stream.

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/create-a-decryption-policy-rule.html

Re: zenmate application

Rameshwar — Wed, 27 Sep 2017 16:37:49 GMT

hi , i have the decryption in place .. but when i do a pcap it doesnt show any url ., is there any way to create a custom app to block zenmate ?wihout url

Re: zenmate application

pulukas — Thu, 28 Sep 2017 11:14:36 GMT

Pretty sure the pcaps are not the decrypted internal view that is why you can't see the URL.

To use the built in app-id (best option) you need to use the app-id on a decryption rule so that the stream can be fully seen to match the PA patterns. Make sure the decryption is working and that the traffic from the clients to this application are hitting that rule.

you can enable decryption and setup a url blacklist. And the same deal basically applies. Decryption must be working and the rule has to be hit by the traffic. But since there is an app-id for this you should work on the first option.

Re: zenmate application

bpappas — Thu, 28 Sep 2017 16:38:11 GMT

If I recall correctly, you will need to use the decryption port mirror feature and stream the packets to a connected device. There you should be able to view decrypted traffic using a tool such as tcpdump or wireshark.

Re: zenmate application

Rameshwar — Thu, 28 Sep 2017 17:30:02 GMT

decryption port mirror feature and stream the packets to a connected device. - can let me know how exactly to do this ... this is VM FW in my lAB

Re: zenmate application

Rameshwar — Thu, 28 Sep 2017 17:34:00 GMT

o use the built in app-id (best option) you need to use the app-id on a decryption rule so that the stream can be fully seen to match the PA patterns. Make sure the decryption is working and that the traffic from the clients to this application are hitting that rule.

you need to use the app-id on a decryption rule - can you please let me know how can i get this work

Re: zenmate application

pulukas — Fri, 29 Sep 2017 09:38:00 GMT

These are the rule instructions. In step 3 you will need to include the app-id for zenmate.

And the rules must be ordered so that this rule is hit before any other rule that the zenmate traffic may match. The policies are processed in order top to bottom and as soon as the traffic is matched we stop looking at further rules.

Enable logging so that you can verfiy what traffic is matching which rule.

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/create-a-decryption-policy-rule.html

Re: zenmate application

Rameshwar — Sun, 01 Oct 2017 16:08:04 GMT

Thank you for the information ,but i have already done the steps and it is not detecting the application

Re: zenmate application

Rameshwar — Sun, 01 Oct 2017 17:14:32 GMT

it seems i found out the work around for this

chrome extension zenmate - once the website which is blocked on the FW can be accessible if the ssl decryption is not enabled after connecting the zenmate. after the zenmate is connected and if the ssl decrypt is not enabled the blocked website will work , once you enable the ssl decrypt i.e ssl forward proxy it will start blocking the traffic as before so in this case connecting to zenmate chrome extension is of no use

zenmate application - zenmate installed app on local system behaviour is different as extension , ssl decrypt cannot block this . zenmate app is using IKE application to connect to the proxy server , we have to block the IKE application in the security policy and it will not allow the connection to be successful , but we have to keep in mind that IKE is been used for ipsec so if you have ipsec vpn then it can block the legitimate traffic . so in this case you can select the zone from may be trust to untrust i,e direct internet and apply the policy so it will only block the traffic which is gloing to untrust and not to the ipsec tunnel