topic Re: Want to block personal gmail and allow corporated gmail in General Topics

Want to block personal gmail and allow corporated gmail

FarhanKoujalgi — Tue, 12 Oct 2021 11:31:26 GMT

Hey guys one of my customer wants to block personal gmail (google mail) for eg : example@gmail.com

and want to allow the corporate Gmail eg : example@corporate.com

what are the steps to configure this type of request please help us.

Re: Want to block personal gmail and allow corporated gmail

DavidWalters2 — Tue, 12 Oct 2021 14:59:54 GMT

You need to TLS intercept the traffic, downgrade it from HTTP/2 and then insert a header. There are instructions at https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/http-header-insertion/http-header-insertion-understand-custom-headers.html

Re: Want to block personal gmail and allow corporated gmail

LAYER_8 — Tue, 12 Oct 2021 20:20:14 GMT

Indeed, historically this is accomplished through HTTP header insertion described above.

An alternative method would be the new SaaS Security Inline subscription, some of my customers opt for the latter as it's much easier to configure and manage.

Re: Want to block personal gmail and allow corporated gmail

FarhanKoujalgi — Wed, 13 Oct 2021 06:31:05 GMT

@LAYER_8 and @DavidWalters2

Guys thanks for the reply.

I not getting your solution please explain in details.

@BPry Do you have any idea about this?

Re: Want to block personal gmail and allow corporated gmail

LAYER_8 — Wed, 13 Oct 2021 16:37:10 GMT

@DavidWalters2 's answer covers it in detail. If you click the link you will see next to the header value:

support.google.com/a/answer/1668854?hl=en

You can allow access to specific Google accounts from your domain. The values that you give to this header are your domain and subdomains.

To successfully insert headers for Google applications, you must also:

Create an SSL decryption profile that includes the following categories and URLs:
business-and-economy
computer-and-internet-info
content-delivery-networks
internet-communications-and-telephony
low-risk
online-storage-and-backup
search-engine
web-based-email
drive.google.com
*.google.com
*.googleusercontent.com
*.gstatic.com

HTTP header insertion is not currently supported for HTTP/2. To insert headers, downgrade HTTP/2 connections to HTTP/1.1 using the Strip ALPN feature in the appropriate decryption profile. For more information, see App-ID and HTTP/2 Inspection.

Create rules to block the Quick UDP Internet Connections (QUIC) App-ID and place them at the top of your security policy because the firewall does not support header insertion for this protocol. When you do, the app reverts to using HTTP/2 over TLS, which the firewall handles in the previous step.

So you'll need an SSL decryption profile (guide here), you will enable the "Strip ALPN" feature in the profile you create. You will then create a decryption policy on the above categories, also a block QUIC policy. Lastly, you will follow these steps to add the google header value to the sessions.

Re: Want to block personal gmail and allow corporated gmail

FarhanKoujalgi — Wed, 13 Oct 2021 17:12:52 GMT

@LAYER_8 Thankyou for reply

So I have to create a different URL filtering for that ?

I attached the images plz help me out my config is right or wrong.

What should i add into the value and domains?

Is the security policy is correct ?

And what should I enable in the decryption profile?