topic Re: How to exempt certain destinations from a File Blocking policy in General Topics

How to exempt certain destinations from a File Blocking policy

ahopkins — Thu, 01 Apr 2010 15:05:50 GMT

I need to exempt certain sites from a policy that blocks downloads of executables, so downloads of executables are allowed from those sites. Since these are large sites that use content distribution networks, I can't create a policy with a destination IP address and a different security profile. What I would do with other brands of firewall that support FQDN object types, is reference the destination domain or URL in the policy instead of a destination IP, but Palo Alto doesn't have that feature yet. Is there a workaround I can use until Palo Alto supports the URL or FQDN object type?

Re: How to exempt certain destinations from a File Blocking policy

mjacobsen — Thu, 01 Apr 2010 15:21:39 GMT

The way to accomplish this with the current software would be to create a custom App-ID for the application/site and use that in the Application column of the policy with the appropriate file blocking profile. If you want help with the custom App-ID, post more info about the application/site and I am sure we can help you create it.

Given the dynamic nature of CDNs, FQDN objects are likely problematic for this. Most CDNs will use a very short TTL which will cause the entries to be out of sync as most firewalls expect this to be updated on a frequency typically in hours, not seconds.

Mike

Re: How to exempt certain destinations from a File Blocking policy

ahopkins — Thu, 01 Apr 2010 15:30:21 GMT

So suppose I wanted to allow executable downloads from microsoft.com, but otherwise block them, how would I do that though App ID?

As far as the FQDN object types, I don't know how others such as Sonicwall do it, my guess is that it involves a lot of reverse DNS queries from the firewall. Is that feature still on track for later this year?

Thanks,

Alex.

Re: How to exempt certain destinations from a File Blocking policy

mjacobsen — Sat, 03 Apr 2010 06:26:32 GMT

Attached is an example App-ID that includes two signatures. One that looks for www.microsoft.com in the host header of an HTTP request and one that looks for CN=www.microsoft.com that applies to SSL traffic, looking at the CN in the servers SSL certificate. The values for www.microsoft.com could be replaced by whatever site you were want to have a unique App-ID for. Once created, this App-ID can be used in a policy and have the associated rule could have its own set of profiles attached.

Mike

Re: How to exempt certain destinations from a File Blocking policy

ahopkins — Thu, 08 Apr 2010 16:32:24 GMT

When I import it, I get this error:

Config loaded from appid_microsoft_xml pattern-match unexpected here. Discarding. pattern-match unexpected here. Discarding.

It creates the new app, but it's missing the regular expression:

Should I enter something like ".microsoft.com" under "Pattern" to apply to all microsoft URLs?

Alex.

Re: How to exempt certain destinations from a File Blocking policy

rmonvon — Thu, 08 Apr 2010 19:28:33 GMT

You will need to be at PAN-OS version 3.1.0 or higher to use the above custom AppID as it has enhancements to support the CN in SSL cert.

For PAN-OS version 3.0.x, please try the attached custom AppID. The signature is looking for microsoft.com in the HTTP host header or the uri path. You can almost separate the 2 matching conditions into 2 separate custom appIDs to suit your needs.

good luck.

Message was edited by: rmonvon

Re: How to exempt certain destinations from a File Blocking policy

ahopkins — Fri, 09 Apr 2010 17:51:35 GMT

That works, thanks!