topic Re: Teamviewer is not blocking in General Topics

Teamviewer is not blocking

Shuaib_Khalid — Tue, 25 Sep 2018 06:19:39 GMT

Hi,

I have PA-820 with fully updated signatures, I have blocked Teamviewer via security policy. PA is recognising the application and traffic log showing that teamviewer connection is blocked but on host machine teamviewer is running and outbound / inbound teamviewer connections are sucessful. I have also tried by applying ssl decryption but still same result. Need help in this regard.

Regards,

Shuaib Khalid

Re: Teamviewer is not blocking

BPry — Tue, 25 Sep 2018 13:38:14 GMT

@Shuaib_Khalid,

If you have logs proving that the Teamviewer app-id is properly getting blocked when your security rule is applied then this would more then likely be due to traffic getting mis-identified, likely to 'ssl'. To get this to work properly you would need to apply ssl-decryption.

Out of curiosity are you blocking all of the app-ids? You would either include the app-id container of 'teamviewer' and then 'teamviewer-web' or you would need to list out all 4 individually. Generally in my experience the firewall is rather good at identifying teamviewer traffic and blocking it when you are decrypting traffic.

If you aren't decrypting traffic then teamviewer falls back to tcp/443 instead of its default port of tcp/5938 and the firewall will allow the traffic as it can't tell what it is.

You could attempt to do this in a controlled situation and reviewing the logs to see what exactly the firewall is identifying the traffic; that may help in understanding why your traffic isn't getting identified properly.

Re: Teamviewer is not blocking

TerjeLundbo — Wed, 26 Sep 2018 13:16:20 GMT

We do not use any form of SSL decryption on our PA, but we are still able to effectively block Teamviewer. Does the firewall perhaps do some kind of hostname/FQDN match in addition to block the traffic? I see in the traffic logs that Teamviewer first tries port tcp/5938, then tcp/443 then tcp/80, but all the sessions are blocked with app-id teamviewer-base.

Re: Teamviewer is not blocking

BPry — Wed, 26 Sep 2018 19:10:00 GMT

@TerjeLundbo,

The firewall is capable of still identifying certain applications through a number of different ways that aren't encrypted when you are using SSL. Under the majority of use cases the firewall is perfectly capable of identifying teamviewer traffic without decrypting the traffic.

FYI: On a rainy day dig into a technical_support file generated from your firewall and you might just maybe be able to find things you aren't really meant to see 😉