How to Block Google Chrome

Printer Friendly Page


This document describes how to block Google Chrome on a Palo Alto Networks device.


Note: For this process to work for HTTPS sites, SSL decryption needs to be configured. To configure SSL decryption, see How to Implement SSL Decryption.

  1. From the Objects tab, navigate to Applications and select "Add":
  2. In the Application window, fill out the required categories. These are: Name, Category, Subcategory, and Technology. Choosing a Parent App and Risk is not required. An example is shown below:
  3. On the Signature tab, enter a name for the signature and (optionally) a comment for the signature.
  4. Select "Transaction" for the scope.
  5. Add an OR condition with the following settings and select OK:
    •     Operator:    Pattern Match
    •     Context:     http-req-headers
    •     Pattern:      Chrome/
  6. Press OK again and commit your change.

Security policies can now reference the custom application. Once a security policy is added to block the custom application, "Chrome", new sessions will be blocked.

owner: cstancill


In my opinion this document should be amended. Unless I am incorrect, the unique header value should be "Chrome/" (not "chrome/3" or "AppleWebKit") because newer versions of Chrome may have different number after the slash. Testing I am doing shows the header using Chrome/29.0.1547.65. We all know these numbers change. I tested this approach and it seems to work. When I add a deny rule referencing the custom app, the Chrome browser just spins. The PCAP screenshot is from the firewall and indicates that the three way handshake is not permitted to complete. This was tested on both OSX 10.8.4 and Windows 7. I worry about using AppWebKit as a qualifier because I don't know what else might be using it.


Thank you for bringing this to our attention.

We will verify this behavior using the pattern match similar to yours and update the document with necessary changes if applicable

However, if you want to understand pros and cons of using your customized application signatures, you might want to post your concern in Devcenter community where experts in software scripting,API and custom signatures are there to answer your questions.



Is there a possibility for a NOT match condition in the custom app?


Because the problem is that this signature also matches Microsoft Edge.

Default User Agent string of Google Chrome:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36


Default User Agent string of Microsoft Edge:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586

Good day friends,

Here i want to block google extensions.

Anyone help me for that.




We all know about the various issues arises while using the chrome.  The common issues come while using it are like ERR_SPDY_PROTOCOL, ERR_TOO_MANY_REDIRECTS etc. These errors can't be solved normally. At that time you can visit 

Fix Err Spdy Protocol Error Not Responding for the help.