Are there options in the Palo Alto SaaS Security Inline to block in real time cut/copy/paste/print activities?

nikoolayy1 — Sun, 19 Jun 2022 11:14:27 GMT

I have seen this some other CASB solutions to limit what the web browsers can do in real time not out of band (Palo Alto SaaS Security API) I just wanted to ask as I can't find it.

Re: Are there options in the Palo Alto SaaS Security Inline to block in real time cut/copy/paste/print activities?

JayGolf — Wed, 22 Jun 2022 21:52:08 GMT

Hi @nikoolayy1 ,

I received some info from a colleague. If it’s an unknown app, fw will allow the traffic until ACE determines the proper enhanced App-ID

Here are a few links that were shared:

SaaS Inline

ACE App ID

Unsanctioned App

Re: Are there options in the Palo Alto SaaS Security Inline to block in real time cut/copy/paste/print activities?

nikoolayy1 — Thu, 23 Jun 2022 14:20:27 GMT

What? I think this is an answer to another problem 🙂

Still the below apps should have an allow rule if it is like the normal application shift as then the FW will match the security rule stack again as if ssl is blocked in security rule that the traffic matches then firewall will never do application shift. Hope this helps your customer.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWZCA0

ssl
—Encrypted SSL traffic is by far the most common type of network traffic, with most experts claiming that it exceeds 90% of total traffic. If you don’t or can’t decrypt that traffic, the firewall often can only identify it as ssl instead of as the actual underlying application.
web-browsing
—The firewall can’t specifically identify some unencrypted web-browsing traffic because there are so many applications that content-delivered App-ID can’t keep up with the ever-increasing amount.
unknown-tcp
and
unknown-udp
—This traffic may be internal or custom applications or unknown external applications. It’s important to identify that traffic by its specific App-ID so that you can make intelligent access decisions and construct appropriate Security policy rules to control and inspect the traffic.

Applications like Gotomeeting and YouTube are initially identified as SSL, web-browsing and Citrix. As more packets for these sessions pass through the firewall, more information to identify the application is available to the firewall. The firewall then shifts the application to respective applications like Gotomeeting and Youtube.

Whenever an application shift happens, the firewall does a new security policy lookup to find the closest rule matching the new application. So in the above case, SSL and web-browsing are called dependent applications for Gotomeeting and YouTube, thus these applications should also be allowed in the security policies. If the application of the traffic changes in the middle of the session, then a second security policy lookup rematches the traffic against the security policies to find the new closest matching policy.

topic Are there options in the Palo Alto SaaS Security Inline to block in real time cut/copy/paste/print activities? in General Topics

Are there options in the Palo Alto SaaS Security Inline to block in real time cut/copy/paste/print activities?

Re: Are there options in the Palo Alto SaaS Security Inline to block in real time cut/copy/paste/print activities?

Re: Are there options in the Palo Alto SaaS Security Inline to block in real time cut/copy/paste/print activities?