topic Re: Block Access to private Gmail but allow corporate in General Topics

Block Access to private Gmail but allow corporate

Leonid.Rozgon — Thu, 18 Jan 2018 10:49:01 GMT

Hi all.

Im looking for a solution to block user access to private gmail accounts but allow a corporate accounts to be used.

I'm aware that there is a solution involing proxy server and X-forwarder.

Is there any other way to do this without dedicated proxy serever?

Regards

Leo

Re: Block Access to private Gmail but allow corporate

kiwi — Thu, 18 Jan 2018 12:52:46 GMT

Hi @Leonid.Rozgon,

I haven't tested this myself but you could try the following :

If I'm not mistaken for corporate Gmail access, the usernames have the customer domain name (eg. user@domain.com).

Personal Gmail accounts have usual usernames (eg. user@gmail.com)

To block personal gmail access, enable ssl-decryption. Next, create a data pattern matching "@gmail.com".

Match this Data pattern on gmail-base app in a Data filtering object.

Apply the Data Filtering object to a policy.

This way you should be able to access corporate gmail accounts and personal gmail access should be blocked.

One caveat I think exists here :

Matching for the regex "@gmail\.com" in the whole page content might also have unwanted matches such as :

-Sending an email to somebody@gmail.com from the corporate account

-Reading an email from somebody@gmail.com on the corporate account

I would think along those lines ... other tips are welcome ^_^

Cheers !

-Kiwi.

Re: Block Access to private Gmail but allow corporate

Leonid.Rozgon — Thu, 18 Jan 2018 14:21:53 GMT

Thanks for the idea, Kiwi.

Trying to test/implement it, but I think the problem is that there is no option to add ssl or google-base as application in Data filtering profile(whys is that?). Authentication form for gmail is done through accounts.google.com and its not detected as gmail-base application. Will continue testing. If anyone else have any ideas feel free to wite them here.

Regards

Leo

Re: Block Access to private Gmail but allow corporate

Tuna20 — Tue, 09 Jun 2020 15:43:04 GMT

Were you able to find anything out? I know Google has a way to block it on Chrome OS devices.

Re: Block Access to private Gmail but allow corporate

Hectormorrell — Fri, 22 Oct 2021 23:54:47 GMT

Step 1 Make sure you are decrypting traffic from the inside to the outside

Step 2 Create a custom URL with *.google.com and *.gmail.com

Step 3 Create a URL FILTER

Select HTTP HEADER Insertion

Called it GMAIL-GOOGLE Type Google apps Access control

Under domain add the following *.google.com and gmail.com

Select header X-GooApps-Allowed domain

Under value add your corporate domain example.com paloaltonetworks.com etc

You can add 5 domains

STEP 4 create a policy

INSIDE-2-OUTSIDE Inside outside APPS GOOGLE-APPS service URL Category=GMAIL-COORPORATE Action= allow profile=url Filtering =GMAIL-FILTER

GOOGLE-APPS= GMAIL, Google-BASE, ssl, RTCP,rtp-base,stun,web-browsing vidyo

Re: Block Access to private Gmail but allow corporate

S.Cantwell — Sat, 23 Oct 2021 12:00:02 GMT

Group.. i would recommend that the customer look at HTTP Header Insertion n under the URL Filter Profile section

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/app-id-features/http-header-insertion.html

With the HTTP header insertion and modification feature, you can now manage HTTP header information to disallow SaaS consumer accounts while allowing a specific enterprise account.