topic Re: GOOGLE MAPS WHILE BLOCKING OTHER GOOGLE SERVICES in General Topics

GOOGLE MAPS WHILE BLOCKING OTHER GOOGLE SERVICES

j.moore — Sun, 13 Jan 2019 23:43:44 GMT

Does anyone have any ideas on how to permit access to Google Maps but block access to all other Google services? I have tried using a rule matching the Google-Maps application however it requires google-base which allows many other Google services. I have also tried using custom URLs for maps.google.com and www.google.com/maps; however, Google maps seems to require access to resources at www.google.com/.

The customer is currently using a Squid proxy with detailed regex expressions to accomplish this. Below are some examples. They would like to remove the proxy and use the firewall only.

acl ALLOWED_URL url_regex -i ^https?://www.google.com/favicon.ico$
acl ALLOWED_URL url_regex -i ^https?://www.google.com/images/branding/product/ico
acl ALLOWED_URL url_regex -i ^https?://www\.google\.com/(maps|xjs)
acl ALLOWED_URL url_regex -i ^https?://www\.google\.com/s(earch)?\?tbm=map
acl ALLOWED_URL url_regex -i ^https?://www\.google\.com/gen_204\?oq=

Re: GOOGLE MAPS WHILE BLOCKING OTHER GOOGLE SERVICES

Remo — Mon, 14 Jan 2019 01:15:23 GMT

Hi @j.moore

Why don't you add the same URLs (without regex) to your custom URL category?

Re: GOOGLE MAPS WHILE BLOCKING OTHER GOOGLE SERVICES

j.moore — Mon, 14 Jan 2019 12:51:35 GMT

I tried that. It doesn't seem to match on the full string. I think Custom URLs only support domains and subdomains, not the variables.

Re: GOOGLE MAPS WHILE BLOCKING OTHER GOOGLE SERVICES

BPry — Mon, 14 Jan 2019 18:10:31 GMT

@j.moore,

You can't use variables for this.

Re: GOOGLE MAPS WHILE BLOCKING OTHER GOOGLE SERVICES

j.moore — Mon, 14 Jan 2019 18:12:08 GMT

I figured that. What other options do I have?

Re: GOOGLE MAPS WHILE BLOCKING OTHER GOOGLE SERVICES

BPry — Mon, 14 Jan 2019 18:16:28 GMT

@j.moore,

To do this easily and cleanly you don't really have any from the firewall directly. Google integrates all of their services pretty tightly and trying to limit all of Google but allowing Maps would require a very large amount of allowed URLs that will likely be constantly changing and breaking things.

Re: GOOGLE MAPS WHILE BLOCKING OTHER GOOGLE SERVICES

j.moore — Mon, 14 Jan 2019 21:29:37 GMT

Using a squid proxy this is fairly straightforward. Hoping this might be accomplished using the PA firewall only.

Re: GOOGLE MAPS WHILE BLOCKING OTHER GOOGLE SERVICES

Remo — Tue, 15 Jan 2019 19:50:54 GMT

As they work with squid, did you add these urls to the custom url category?

www.google.com/favicon.ico
www.google.com/images/branding/product/ico
www.google.com/maps
www.google.com/xjs
www.google.com/search?tbm=map
www.google.com/s?tbm=map
www.google.com/gen_204?oq=

Re: GOOGLE MAPS WHILE BLOCKING OTHER GOOGLE SERVICES

j.moore — Wed, 16 Jan 2019 00:47:49 GMT

Yes, but it fails to match the following. I I think this is because PANOS only matches on domains, subdomains, and paths not Parameters.

www.google.com/search?tbm=map
www.google.com/s?tbm=map
www.google.com/gen_204?oq=

Re: GOOGLE MAPS WHILE BLOCKING OTHER GOOGLE SERVICES

gwesson — Wed, 16 Jan 2019 00:56:46 GMT

Are you doing SSL Decryption? Without decryption, the firewall doesn't even see the HTTP request for the maps page, it only sees the hostname of the server they're connecting to, in this case it's www.google.com as the host. Google uses a wildcard cert, so the response from the server is for *.google.com. Since neither is distinguishing the maps service, there would be no way to allow maps but deny others.

PAN-DB does categorize on full URIs, not just domains and hosts. A good example of this is any of the test sites:

https://pandb.paloaltonetworks.com/test-gambling

https://pandb.paloaltonetworks.com/test-phishing

Both of those pages are on the same host and domain, but different paths. PAN-DB will categorize them appropriately.

But if you're not decrypting the SSL (TLS) traffic, the only thing the firewall will see is a TLS Client Hello that has "pandb.paloaltonetworks.com" but not the full URI.

Re: GOOGLE MAPS WHILE BLOCKING OTHER GOOGLE SERVICES

j.moore — Wed, 16 Jan 2019 01:05:21 GMT

Even with Decryption enabled PANOS still doesn't match the Parameters in the URL. Path matching works; however, without matching the parameters we can't differentiate between Google maps and all other Google services.

Re: GOOGLE MAPS WHILE BLOCKING OTHER GOOGLE SERVICES

gwesson — Wed, 16 Jan 2019 01:13:11 GMT

> Even with Decryption enabled PANOS still doesn't match the Parameters in the URL.

That's actually incorrect - PAN-DB (and PAN-OS) does do full URI matching. The two test URLs I provided would illustrate that. The "test-phishing" and "test-gambling" parts are neither the host nor the domain. Those are part of the path, and PAN-DB definitely does page-level categorization, even when you define a custom URL.

Looking at the squid rules you provided, you would likely need to create a custom URL category with all of the following URLs. :

www.google.com/favicon.ico

www.google.com/images/branding/product/ico

www.google.com/maps*

www.google.com/xjs*

www.google.com/s?tpm=map

www.google.com/search?tpm=map

www.google.com/gen_204/?oq=*

You may want to double up on those, excluding the 'www' since it's valid even without that.

Re: GOOGLE MAPS WHILE BLOCKING OTHER GOOGLE SERVICES

vnkychandu — Wed, 15 Sep 2021 10:27:28 GMT

@j.moore I never tried this in palo alto but i did it in Cyberoam firewall. We applied this to one of our client where they had to use only google maps and block all other google services. There we allowed google maps and blocked other services using SSL certificate. Its been quite few years that we implemented this. https://support.sophos.com/support/s/article/KB-000038926?language=en_US

Hope this will help