https://live.paloaltonetworks.com/t5/general-topics/blocking-internet-access-based-on-user-agent/m-p/71238#M40732 <P>I am blocking unwanted bwrowsers in a different way; with custom IPS signatures. You can make a signature that matches certain string within http header (pattern match -&gt; http-req-header -&gt; 'string'). Then you can set that signature to allow/alert/block.</P> <P>&nbsp;</P> <P>However detection of browser on UA string is not reliable. For start it's not easy to make patterns to uniquely identify different browsers as many are using same words (<A href="http://www.useragentstring.com/pages/Browserlist/)." target="_blank">http://www.useragentstring.com/pages/Browserlist/).</A> And most browsers allow changing UA, with some it's already built-in functionality while for others you have extensions.</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 20 Jan 2016 08:44:05 GMT santonic 2016-01-20T08:44:05Z https://live.paloaltonetworks.com/t5/general-topics/blocking-internet-access-based-on-user-agent/m-p/71201#M40723 <P>I am currently researching a way to be able to intercept traffic from an unsupported IE browser and then be able to feed that information about the host, mainly FQDN hostname or IP address of the host into the PAN dynamically based on the user-agent:</P> <P>&nbsp;</P> <P>IE8 - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)</P> <P>IE9 - Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)</P> <P>IE 10 - Mozilla/5.0 (compatible; WOW64; MSIE 10.0; Windows NT 6.2)</P> <P>&nbsp;</P> <P>One way I am thinking of doing this, is to have a tcpdump stream pick up the traffic between the internal host and the PAN before it gets out to the Internet.&nbsp;The PCAP would then have the information I am looking for. I am thinking that I can grep the info I need and build a list that can update a dynamic block list.&nbsp;</P> <P>&nbsp;</P> <P>Has anyone been able to accomplish this?&nbsp;</P> <P>&nbsp;</P> <P>Scott</P> Tue, 19 Jan 2016 16:53:33 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-internet-access-based-on-user-agent/m-p/71201#M40723 LCMember2817 2016-01-19T16:53:33Z https://live.paloaltonetworks.com/t5/general-topics/blocking-internet-access-based-on-user-agent/m-p/71216#M40728 <P>I was hoping we'd be able to create a custom app sig based upon user-agent, but I didn't see where that was an option. &nbsp;Given that 6.1.X brought about the ablity to at least see in the log a user agent, I was hoping there could be some deeper controls around this field, but I haven't been able to find one.</P> Tue, 19 Jan 2016 19:15:10 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-internet-access-based-on-user-agent/m-p/71216#M40728 Brandon_Wertz 2016-01-19T19:15:10Z https://live.paloaltonetworks.com/t5/general-topics/blocking-internet-access-based-on-user-agent/m-p/71238#M40732 <P>I am blocking unwanted bwrowsers in a different way; with custom IPS signatures. You can make a signature that matches certain string within http header (pattern match -&gt; http-req-header -&gt; 'string'). Then you can set that signature to allow/alert/block.</P> <P>&nbsp;</P> <P>However detection of browser on UA string is not reliable. For start it's not easy to make patterns to uniquely identify different browsers as many are using same words (<A href="http://www.useragentstring.com/pages/Browserlist/)." target="_blank">http://www.useragentstring.com/pages/Browserlist/).</A> And most browsers allow changing UA, with some it's already built-in functionality while for others you have extensions.</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 20 Jan 2016 08:44:05 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-internet-access-based-on-user-agent/m-p/71238#M40732 santonic 2016-01-20T08:44:05Z https://live.paloaltonetworks.com/t5/general-topics/blocking-internet-access-based-on-user-agent/m-p/71262#M40739 <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2123iAD23011DA3777D79/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="chrome.jpg" title="chrome.jpg" />Hi all,</P> <P>&nbsp;</P> <P>Of course you can do that with custom app <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>In the advance tab when you create new app, you can define your own signature. If you select for exemple http-request-header and paatern "Chrome\/", it will work.</P> <P>For other browser, just make a TCP dump of your http request "GET" and identify the unic stream.</P> <P>&nbsp;</P> <P>But it's true, it will be not very efficient, nothing is more easy to fake than http header <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>Hope help.</P> <P>&nbsp;</P> <P>V.</P> Wed, 20 Jan 2016 15:53:15 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-internet-access-based-on-user-agent/m-p/71262#M40739 VinceM 2016-01-20T15:53:15Z https://live.paloaltonetworks.com/t5/general-topics/blocking-internet-access-based-on-user-agent/m-p/71319#M40751 <P>I was also considering whether to do it with custom App or custom IPS signature. In the end i decided for IPS signature because I still want to see what app is being used (web-browsing, http-video...) instead of just which browsers is being used.&nbsp;</P> Thu, 21 Jan 2016 07:08:03 GMT https://live.paloaltonetworks.com/t5/general-topics/blocking-internet-access-based-on-user-agent/m-p/71319#M40751 santonic 2016-01-21T07:08:03Z