topic Re: Allowing just the application "web-browsing" breaks websites in General Topics

Allowing just the application "web-browsing" breaks websites

Quinton — Fri, 03 Aug 2012 11:25:31 GMT

I’ve been trying to figure this one out and would appreciate input from the community. What recommended "helper" applications must be enabled along with the application “web-browsing” to have websites work as close to normal as possible? For example allowing just the application “web-browsing” and “SSL” is not sufficient since plenty of websites use Flash and/or SOAP to work. I know the application Silverlight is also something required. I would like to hear what other web helper applications the community enabled along with flash, Silverlight etc to ensure the web browsing experience is not affected by the firewall rule.

I’m trying to build a rule to replace something like “Any” application with service ports “service-http” and “service-https”. This of course is the easiest to get web browsing working 100% but is of course a huge security hole. Tightening the rule down to application “web-browsing” and service “application –default” starts to break web sites.

Re: Allowing just the application "web-browsing" breaks websites

daniel.love — Sun, 05 Aug 2012 23:16:34 GMT

We created an application filter that allows widely used apps for internet access.

Category:General Internet>Technology:Browser-based>Characteristic:Widely used

We then add that filter to an application group that contains SSL, and youtube. This has helped us tremendously in allowing basic internet access.

Re: Allowing just the application "web-browsing" breaks websites

KNAB — Mon, 06 Aug 2012 07:25:35 GMT

You can start with creating for example Top 250 traffic report for, let's say, last 30 days, listing Application Name and Repeat Count so you can see what users are using and then the good old manual labor creating groups. Of course, it's usable if don't have university or school behind your filewall.

Re: Allowing just the application "web-browsing" breaks websites

mikand — Tue, 07 Aug 2012 10:58:10 GMT

Another method is to create a custom appid where you check for http-header values such as HEAD, GET and POST and only allow those.

This way it will allow blank http requests if thats what you need (and blocking smtp, snmp and other stuff which isnt http).

However I think web-browsing should do this. A problem with appid in PA is that web-browsing is an appid on its own. It means that once the traffic is being recognized as some other appid you must allow that aswell.

For example youtube. The first request will most likely be logged as web-browsing, but soon the PA will discover that this is a specific appid named "youtube" and will handle the traffic as such. If you only allowed "web-browsing" then your traffic will suddently get blocked (unless you add youtube as allowed appid, or for that matter create an appid on your own with "loose" settings).

Re: Allowing just the application "web-browsing" breaks websites

Quinton — Wed, 08 Aug 2012 13:13:52 GMT

The custom App-ID for http-header values like HEAD, GET and POST would "anonymise" all HTTP applications if applied I think. The HTTP-based applications would be reduced to a single App-ID

Re: Allowing just the application "web-browsing" breaks websites

mikand — Mon, 20 Aug 2012 21:58:34 GMT

Thats the point if you wish to allow http-only traffic.

Because as soon as the traffic is being identified as some other appid it will be that appid you need to allow (or if you use appid filter then its categories of appid's).

But I agree, it would be nice if the PA could identify a flow as several appid's at once instead of having only one appid per flow.

So if you allow web-browsing (or lets rename it to http-only as example) that would allow everything that is using a proper http based transmission including facebook, youtube etc compared to today where you must explicitly allow facebook, youtube etc (or setup an appfilter).