https://live.paloaltonetworks.com/t5/general-topics/data-filtering-reverse-possible/m-p/45411#M33380 <HTML><HEAD></HEAD><BODY><P>For a client, we are working on a regulatory need where we need to block any administrator attempts to login to a web application sitting behind the firewall. I created a data filtering rule which looks for the admin names and it DOES block it, however, this is an explicit deny and is the opposite of best practices. What would work best is if we could only ALLOW the 4-5 standard user logins and block anything else.</P><P></P><P>Is there a way to make the data filtering work in reverse?</P></BODY></HTML> Mon, 21 Oct 2013 14:09:33 GMT SDorsey 2013-10-21T14:09:33Z https://live.paloaltonetworks.com/t5/general-topics/data-filtering-reverse-possible/m-p/45411#M33380 <HTML><HEAD></HEAD><BODY><P>For a client, we are working on a regulatory need where we need to block any administrator attempts to login to a web application sitting behind the firewall. I created a data filtering rule which looks for the admin names and it DOES block it, however, this is an explicit deny and is the opposite of best practices. What would work best is if we could only ALLOW the 4-5 standard user logins and block anything else.</P><P></P><P>Is there a way to make the data filtering work in reverse?</P></BODY></HTML> Mon, 21 Oct 2013 14:09:33 GMT https://live.paloaltonetworks.com/t5/general-topics/data-filtering-reverse-possible/m-p/45411#M33380 SDorsey 2013-10-21T14:09:33Z https://live.paloaltonetworks.com/t5/general-topics/data-filtering-reverse-possible/m-p/45412#M33381 <HTML><HEAD></HEAD><BODY><P>Hello mackwage.</P><P></P><P>Your best bet for this would be a custom application.&nbsp; You will need to:</P><P></P><P>1.) Do a packet capture and get the login string.&nbsp; For example, if your web application uses cookies, a good way would be to look for the cookie string in the HTTP request header, which would look something like: Cookie: username=administrator.</P><P></P><P>2.) Create a custom application which looks for this string:</P><P>Objects-&gt;Applications-&gt;Add,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Configuration-&gt;(fill out to your needs)</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Advanced-&gt;(choose "port" and add: tcp/80 and tcp/443)</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Signatures-&gt;Add-&gt;(add "OR" conditions with pattern-match (as many as you need): example: context: http-req-headers, patthern: username=admin)</P><P></P><P>3.) Create a security policy which matches your login traffic:</P><P>example:</P><P>zones: trust-&gt;dmz, destination ip: &lt;web application server ip&gt;, application: Your new custom application, action: deny.</P><P></P><P></P><P>Commit and test it out.&nbsp; If you have your&nbsp; "Application Block Page" enabled in Device-&gt;Response Pages, you should get the block pages when you login as administrator (or whatever the login name was).&nbsp; All other users should not get the page.</P><P></P><P>*** Remember if you use the string that is in the Cookie, the users will need to clear their cookies if they try with the admin user and get blocked, then want to try again with another user.</P><P></P><P>Good luck,</P><P></P><P>-chadd.</P></BODY></HTML> Mon, 21 Oct 2013 21:37:45 GMT https://live.paloaltonetworks.com/t5/general-topics/data-filtering-reverse-possible/m-p/45412#M33381 cchristiansen 2013-10-21T21:37:45Z