topic Re: Question about outbound hostname restrictions in General Topics

Question about outbound hostname restrictions

murphyca — Thu, 02 Aug 2018 17:46:27 GMT

I'm familiar with user based restrictions to outbound resources, such as youtube, but is it possible with say, a regex expression, to block access to a site like youtube through a list of machines that include a name like kiosk, as in cakiosk01, cokiosk02, flakiosk03, etc. ?

Re: Question about outbound hostname restrictions

OtakarKlier — Thu, 02 Aug 2018 18:57:03 GMT

Hello,

In the past what I have done is put the kiosks/guest machines onto their own vlan and hten write the policy around the source IP's.

Regards,

Re: Question about outbound hostname restrictions

BPry — Fri, 03 Aug 2018 16:36:24 GMT

@murphyca,

Not something that you could do on the box. The VLAN option that @OtakarKlier presented is a good option. Otherwise you could simply collect the DHCP logs and look at which IP the machines are grabbing and add them to as an address-object with a given tag; this tag could then be used to build out a dynamic address-group. Doing this programatically would likely be best.

As an example:

Schedule some sort of scripting language like Python to scour the DHCP logs for the machine name. Once the machine name is found grab the IP from the log and use that value to update the address object with the recorded IP through the API. Then you just need to schedule the script to pull the DHCP logs every once in a while to keep everything updated.

Re: Question about outbound hostname restrictions

gwesson — Fri, 03 Aug 2018 17:25:56 GMT

Do you mean to block from a specific source by client hostname? The client's hostname is never sent as part of their HTTP request, so there would be nothing to trigger on there.

I'd recommend setting up user-id so that you have the username logged into the kiosks and can simply apply a URL filtering policy.

If you're going TO a site with the name "kiosk" in the host header, you can set up a custom vulnerability or spyware signature using the host header as the context and a regex of "..kiosk0.+" (not tested) that could trigger for you.

Re: Question about outbound hostname restrictions

Remo — Fri, 03 Aug 2018 19:37:30 GMT

@murphyca What you actually asking for is - as already mentionned - not possible. But depending on the configurarion of your network and these computers there are some ways for this:

DHCP Reservations so that these computers always get rhe same IPs and you then could create addressobjects for
Seperate VLAN for these computers as written by @OtakarKlier (probably a good idea anyway to seperate these computers from the rest of your network)
Configure a default user that is logged in automatically, so you will be able to write user-based rules (as mentionned by @gwesson)
Parse the DHCP logs to create dynamic addressgroups which you can use as source in your policy (as proposed by @BPry)
Use FQDN addressobjects which the firewall will update according to the TTL of the DNS entry
Configure the computers browsers to use custom user agent strings and create a custom application that matches on this user agent string

Re: Question about outbound hostname restrictions

murphyca — Fri, 03 Aug 2018 22:08:43 GMT

The challenge is over 400 remote locations feeding through corporate. The architecture would be difficult to change from that perspective. Possible, but difficult.

Re: Question about outbound hostname restrictions

murphyca — Fri, 03 Aug 2018 22:12:08 GMT

In speaking to PAN support, looks like we'd have to do a reverse DNS lookup for the internal hosts, which may be resource intensive. I will explore the ID of scraping the DHCP configuration though. That should be less resource intensive. The client state will be difficult to change at the moment. May be worth investigating though down the road as an alternative roadmap.

Re: Question about outbound hostname restrictions

OtakarKlier — Fri, 03 Aug 2018 22:25:00 GMT

Hello,

One other thing I have done in the past is kind of is use user-id and have those kiosks and desk users excluded. What I mean is create a web browsing policy and select the source user as /domain-users, this way all domain users get the less restrictive policy. Then a second policy after that one for everything else and have a more restrictive policy. So if a user just see's a kiosk and opens the browser, they get the more restrictive policy since that IP is not mapped to a user-id.

Hope that makes sense.