topic Re: Restrict the user agent on Palo Alto firewall in Automation/API Discussions

Restrict the user agent on Palo Alto firewall

Soc-Core42 — Tue, 13 Jan 2015 07:21:32 GMT

Hi All

We have a requirement to restrict the user agent through palo alto firewall.For example allow web-browsing only from internet explorer 10 and not from any other version of IE or from any other browser like firefox or google chrome.Kindly advise this is possible and how

Regards

Anvar

Re: Restrict the user agent on Palo Alto firewall

bat — Tue, 13 Jan 2015 07:28:44 GMT

Hi injazat-soc

Did you go through this document: How to Block Google Chrome

Look for the user-agent for IE 10 requests and allow that application only.

Hope it helps!

Re: Restrict the user agent on Palo Alto firewall

mmmccorkle — Tue, 13 Jan 2015 08:51:06 GMT

injazat-soc,

We currently do not have any defined applications for Internet Explorer, Google Chrome or Firefox. I have seen it setup where Google Chrome can be blocked, due to a custom signature that you can create, as mentioned above by @bat.

We could make a rule to allow Internet Explorer only, once we create a signature that will trigger the rule, yet we would also have to create another 'deny' rule to block every other browser. So to accomplish this, we are looking at creating a signature for almost every browser you can think of, in order to allow traffic only to Internet Explorer. To go a step further, we would have to determine how to create a signature that could differentiate between browser version, which may not be viable.

The firewall is unaware of the browser the user will be browsing the internet with. It only knows that it is passing traffic on port 80, or 443.

Hope this clarified a few things.

Thanks!

Please do not forget to mark any 'helpful' or 'correct' answers.

Re: Restrict the user agent on Palo Alto firewall

Mariusz.pianka — Thu, 21 Jan 2016 11:13:31 GMT

The pattern for chrome used says only "Pattern: Chrome/"

We try to do the same but for internet explorer.

We want to allow Chrome but not Internet Explorer.

What "Pattern: " should we use ?

Should we be looking at user-agent ?

Re: Restrict the user agent on Palo Alto firewall

Lucky — Mon, 29 Feb 2016 22:54:49 GMT

Hi Mariusz,

yes, you should be looking at user agent strings. You have a pretty good list here to start with: http://useragentstring.com/pages/useragentstring.php

You don't need to block "all" browsers, just those that might be installed onto your systems, right? If that is corporate or whatever domained environment, you need to block several versions of IE explorer that preceed IE10, so you need to add five-six "OR" rules to a first example like that one with Chrome, and your agent lists need to have at least 7 characters. You can do that with blocking separately "MSIE\ 6\.", than "MSIE\ 5.", whatever - 7, 8, 4, 3 2. You have 7 characters there, "MSIE 6." but you are escaping blank space and dot with backspace.

Edit: I just re-read your last question 🙂

If you want to block just IE, you can do that with "atible;\ MSIE" - will do the trick to catch (m)any versions of IE. If not, see what you have and play with it.

You have somewhat technical document here: https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/58569 that describes all your possibilities for matching (you are specifically matching here a "http-req-headers" that is described in that document) and at the end of the document you can find an explanation on regular expressions that are used for pattern-match.

Best regards

Luciano