How to filter browsertype based requests

Reply
L1 Bithead

How to filter browsertype based requests

Hello (we need support :-) ),

we want to filter on our PA 500 all http traffic outbound on User-Agent type.

As explanation: We want to know (and later block) all users which are using MSIE 7.0 (for example) for outgoing browsing.

Following ideas from our side but actually no success on the implementation.

1) Using DataFiltering on a global outbound web-browsing policy

Using a Data Pattern with .*(compatible; MSIE)

This obviously does not work.

2) Using a self created Application

with same pattern

This obviously does not work.

<response status="success" code="19">
      <result total-count="1" count="1">
        <entry name="sh_browser_type">
          <category admin="zieglerj" time="2010/01/20 15:38:15">media</category>
          <subcategory admin="zieglerj" time="2010/01/20 15:38:15">photo-video</subcategory>
          <technology admin="zieglerj" time="2010/01/20 15:38:15">browser-based</technology>
          <risk admin="zieglerj" time="2010/01/20 15:38:15">5</risk>
          <consume-big-bandwidth admin="zieglerj" time="2010/01/20 15:38:15">no</consume-big-bandwidth>
          <able-to-transfer-file admin="zieglerj" time="2010/01/20 15:38:15">no</able-to-transfer-file>
          <used-by-malware admin="zieglerj" time="2010/01/20 15:38:15">no</used-by-malware>
          <evasive-behavior admin="zieglerj" time="2010/01/20 15:38:15">no</evasive-behavior>
          <has-known-vulnerability admin="zieglerj" time="2010/01/20 15:38:15">no</has-known-vulnerability>
          <pervasive-use admin="zieglerj" time="2010/01/20 15:38:15">no</pervasive-use>
          <prone-to-misuse admin="zieglerj" time="2010/01/20 15:38:15">no</prone-to-misuse>
          <tunnel-applications admin="zieglerj" time="2010/01/20 15:38:15">no</tunnel-applications>
          <tunnel-other-application admin="zieglerj" time="2010/01/20 15:38:15">no</tunnel-other-application>
          <data-ident admin="zieglerj" time="2010/01/20 15:38:15">no</data-ident>
          <virus-ident admin="zieglerj" time="2010/01/20 15:38:15">no</virus-ident>
          <file-type-ident admin="zieglerj" time="2010/01/20 15:38:15">no</file-type-ident>
          <spyware-ident admin="zieglerj" time="2010/01/20 15:38:15">no</spyware-ident>
          <decoder admin="zieglerj" time="2010/01/20 15:38:15">http</decoder>
          <default>
            <port>
              <member admin="zieglerj" time="2010/01/20 15:38:15">tcp/dynamic</member>
            </port>
          </default>
          <signature>
            <entry name="User_Agent_IE">
              <comment admin="zieglerj" time="2010/01/20 15:38:15">Identifies the User-Agent of MSIE 7.0</comment>
              <order-free admin="zieglerj" time="2010/01/20 15:38:15">yes</order-free>
              <scope admin="zieglerj" time="2010/01/20 15:38:15">protocol-data-unit</scope>
              <and-condition>
                <entry name="AND 1">
                  <or-condition>
                    <entry name="OR 1">
                      <context admin="zieglerj" time="2010/01/20 15:38:15">http-req-headers</context>
                      <method admin="zieglerj" time="2010/01/20 15:38:15"/>
                      <pattern admin="zieglerj" time="2010/01/20 15:38:15">MSIE 7/.</pattern>
                    </entry>
                  </or-condition>
                </entry>
              </and-condition>
            </entry>
          </signature>
        </entry>
      </result>
    </response>

L5 Sessionator

Re: How to filter browsertype based requests

Hi Smartboy,

The second option is probably your best bet with the custom app.  Support has requested that you open a case with them so that they can work with you to create it.

L4 Transporter

Re: How to filter browsertype based requests

Your App-ID looks good except for a few things. Your pattern is really close but should be "MSIE 7\.0". With no other changes, this should start identifying traffic from IE7 (or at least traffic that claims to be IE7).

Once you get the signature working, you will likely run into another issue. It looks like you did not check the "Continue scanning for other applications" checkbox. This is fine if your intent is to block IE7, but if you want to allow IE7, this will turn all browsing traffic into IE7 for those users. This means you will not see what other web-based applications they are running. If you are just interested in knowing who is running IE7, then you could check that box and then the system would continue scanning for other applications. With this approach, only the traffic that is generic web-browsing would get classified as IE7 since no other more specific app would be found. YouTube would continue to show up as YouTube and Facebook would continue to show up as Facebook. However, if you did an ACC filter on IE7, you will be nearly guaranteed to have a least one session from each IE7 user that was generic web-browsing (now showing up as IE7), allowing you to know who is running it without losing visibility into more detail app info.

Let us know if this works.

Mike

L1 Bithead

Re: How to filter browsertype based requests

Hy, Thanks for response.

I will open a case.

L1 Bithead

Re: How to filter browsertype based requests

Thanks mike for this "short" answer.

I will try this out as soon as possible and let you know the result.

Cheers.

L1 Bithead

Re: How to filter browsertype based requests

Hy mike,

could you discribe the policy rule which I should implement for blocking my traffic using IE ?

Actually (after I checked ue scanning for other applications) I activated following rule

trust to untrust, source any, source user (domain\myself eg), dest any, Application sh_browser_type, action deny, profile none, options Send Traffic Lof at session start.

Where is my mistake ?

Cheers

L4 Transporter

Re: How to filter browsertype based requests

Do you see sh_browser_type showing up in ACC or any logs? Prior to turning on blocking, you might want to allow it and see if it is showing up correctly. Once that is working, turning on a deny rule should work.

Mike

L1 Bithead

Re: How to filter browsertype based requests

Hy mike,

I see the request in ACC Monitor. The Rule works fine now. I can block even on user based selection dedicated browser types.

Big effort. Thanks for this marvelous support.

Not applicable

Re: How to filter browsertype based requests

how can i add the pattern user-agent ? am new to PA and i need some help

L4 Transporter

Re: How to filter browsertype based requests

Moved this thread to DevCenter since it discusses creating custom App-IDs.

To filter by user-agent, you need to create a custom App-ID. The key signature in the App-ID will contain the following:

Context: http-req-headers

Pattern: MSIE 7\.0

Here's a screenshot of what the signature will look like in the UI:

Screen shot 2010-07-27 at 7.31.39 AM.png

To create a custom app, you go to the Objects tab and select Applications. Clicking the New button will start you down the path. There is a tutorial on creating custom apps here: How to Configure Custom HTTP-Based Apps.

Mike

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!