topic Re: Tips to block Yahoo Mail but not other parts of Yahoo in General Topics

Tips to block Yahoo Mail but not other parts of Yahoo

tszafa — Tue, 06 Apr 2021 14:48:38 GMT

I wanted to make a post to the community to see what other people are doing about this issue. We currently have a support case open with Palo for this and has been open for quite some time. Long story short, users that have previously logged into a Yahoo account and have a session cookie are able to somehow circumvent security policy and the app sometimes is parsed as App-ID "SSL" instead of "yahoo-mail-base."

We are able to recreate this behavior 100% of the time. The only way we were able to block Yahoo Mail was by selectively decrypting this traffic and blocking the following URL's:

mail.yahoo.com
login.yahoo.com

*.mail.yahoo.com

*.login.yahoo.com

Even with the decryption applied, the sessions are still sometimes getting misparsed and users are still able to access Yahoo Mail. Again, this is directly related to if the user has logged into a Yahoo account before or not; if the person has never previously logged into a Yahoo account, the access is blocked completely.

Now since "login.yahoo.com" is on this URL category we created, users are unable to login to Yahoo for other areas (such as Yahoo Finance).

Just seeing if the community has tackled this issue before why we keep trying through traditional support channels.

Re: Tips to block Yahoo Mail but not other parts of Yahoo

nikoolayy1 — Wed, 07 Apr 2021 10:23:32 GMT

I have not seen such issue before. So the because the SSL decrypton does not work always the the App-ID does not match correctly the yahoo app-id (Because of this App-ID "SSL" instead of "yahoo-mail-base." maybe the SSL decryption is not happening)?

Have you focused on why the SSL decryption does not work every time:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/decryption-features/enhanced-ssl-decryption-troubleshooting.html

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloUCAS

Also maybe when the users have accessed the yahoo and when they access it a second time a "secure renegotiation" is triggered and not a full handshake and maybe this causes the firewall not to be able to decrypt the traffic

https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-renegotiation/td-p/27979

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POJ0CAO&lang=en_US%E2%80%A9

If SSL decryption is the issue test using a Decryption profile to try to stop this:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-decryption-profile/settings-to-control-decrypted-ssl-traffic.html

If the ssl decryption is ok but the issue is with the app-id wrongly watching then better wait for the TAC to fix their APP-ID.

Re: Tips to block Yahoo Mail but not other parts of Yahoo

OtakarKlier — Thu, 08 Apr 2021 21:38:31 GMT

Hello,

I would recommend setting the URL category Web-based Email to block. This way you dont need to mess with custom block url's etc.

Also as mentioned SSL decryption should be enabled, however a lot of URL traffic can be blocked like this since its in the plain text part of the packet.

Regards,