https://live.paloaltonetworks.com/t5/general-topics/blocking-bittorrent-traffic/m-p/41328#M30378 <HTML><HEAD></HEAD><BODY><P>Thanks for answering.</P><P></P><P>Basically my rule is just: 'from any to any', deny application bittorrent.</P><P><BR />I can't see what I could possibly have done wrong <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Best regards</P><P>mario;</P></BODY></HTML> Wed, 14 Jul 2010 06:32:43 GMT MarioG 2010-07-14T06:32:43Z https://live.paloaltonetworks.com/t5/general-topics/blocking-bittorrent-traffic/m-p/41326#M30376 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I have just found the time to start learning about our new firewall. As a test I have tried creating a policy for blocking bittorrent traffic, but it seems to have only limited effect. Transmission still happily downloads the torrent although I can see from the logs in the firewall that at least some of the traffic is being denied.</P><P></P><P>Am I doing something wrong or is the application id simply not capable of correctly identifying all bittorrent traffic?</P><P></P><P>Regards</P><P>mario;</P></BODY></HTML> Tue, 13 Jul 2010 07:55:22 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-bittorrent-traffic/m-p/41326#M30376 MarioG 2010-07-13T07:55:22Z https://live.paloaltonetworks.com/t5/general-topics/blocking-bittorrent-traffic/m-p/41327#M30377 <HTML><HEAD></HEAD><BODY><P>What does your security policy look like?</P></BODY></HTML> Tue, 13 Jul 2010 18:17:34 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-bittorrent-traffic/m-p/41327#M30377 mharding 2010-07-13T18:17:34Z https://live.paloaltonetworks.com/t5/general-topics/blocking-bittorrent-traffic/m-p/41328#M30378 <HTML><HEAD></HEAD><BODY><P>Thanks for answering.</P><P></P><P>Basically my rule is just: 'from any to any', deny application bittorrent.</P><P><BR />I can't see what I could possibly have done wrong <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Best regards</P><P>mario;</P></BODY></HTML> Wed, 14 Jul 2010 06:32:43 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-bittorrent-traffic/m-p/41328#M30378 MarioG 2010-07-14T06:32:43Z https://live.paloaltonetworks.com/t5/general-topics/blocking-bittorrent-traffic/m-p/41329#M30379 <HTML><HEAD></HEAD><BODY><P>You should have gotten a dependency error when committing. I believe bittorrent also needs web-browsing and ssl.</P><P></P><P>I bet some of the traffic is being classified as different apps in the logs. I would build an application filter using:</P><P></P><P><A class="linkDisabled" id="GridView2_ctl02_new_category">general-internet &gt; </A><A class="linkEnabled" id="GridView3_ctl02_sub_category">file-sharing &gt; peer-to-peer &gt; 5</A></P><P></P><P>That should cover all of the various bittorrent apps like ares, kazaa, and even generic-p2p apps. Plus, if Palo Alto ever adds another bittorrent app in their app/content releases, the app will automatically be added to your policy.</P></BODY></HTML> Wed, 14 Jul 2010 13:06:28 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-bittorrent-traffic/m-p/41329#M30379 mharding 2010-07-14T13:06:28Z https://live.paloaltonetworks.com/t5/general-topics/blocking-bittorrent-traffic/m-p/41330#M30380 <HTML><HEAD></HEAD><BODY><P>I tried your suggestion on building the application filter, but unfortunately the result is much the same. It still can't identify all the bittorrent traffic. I think the traffic that is missed is classified as 'unknown-tcp' and 'incomplete'.</P><P></P><P>I still don't get any dependancy errors when committing the filters. Should I?</P></BODY></HTML> Thu, 15 Jul 2010 07:44:41 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-bittorrent-traffic/m-p/41330#M30380 MarioG 2010-07-15T07:44:41Z https://live.paloaltonetworks.com/t5/general-topics/blocking-bittorrent-traffic/m-p/41331#M30381 <HTML><HEAD></HEAD><BODY><P>Now we are getting somewhere. If you are seeing insufficient-data in the log, that means the firewall did not collect enough packets to determine what the application was. For unknown-tcp, you might want to take a packet capture and submit that to Palo Alto Support. Maybe they need to adjust the decoder for bittorrent traffic.</P><P></P><P>You may or may not get a dependancy error. I haven't created a bittorrent policy since PAN OS 3.0.</P></BODY></HTML> Thu, 15 Jul 2010 13:39:13 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-bittorrent-traffic/m-p/41331#M30381 mharding 2010-07-15T13:39:13Z https://live.paloaltonetworks.com/t5/general-topics/blocking-bittorrent-traffic/m-p/41332#M30382 <HTML><HEAD></HEAD><BODY><P>Another factor that could be clouding the issue is that if you have started a download prior to the device or blocking policy being inline, the client will have the ability to use that existing info to connect out to those peers. Particularly with encryption enabled on the client, this will make it very difficult to block. You should have success in blocking as long as we are in place with a blocking rule at the time the initial download occurs.</P></BODY></HTML> Fri, 23 Jul 2010 17:37:25 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-bittorrent-traffic/m-p/41332#M30382 mjacobsen 2010-07-23T17:37:25Z