zenmate application

Reply
L3 Networker

zenmate application

hi 

 

zenmate application is available in PA app but it is not blocking the traffic , 

tried using the URL based but pcap doesnt show any URL

tried to block through client hello SNI but no lcuk ....

please advise how i can block this on PA 

 

app name - zenmate - browser based proxy 

L6 Presenter

Re: zenmate application

If a known App-ID is not working as expected you should definitely open a support case to troubleshoot.

 

Given that this is an encrypted, evasive VPN/proxy app I'm not sure how effective a custom signature would be. 

 

Benjamin

L7 Applicator

Re: zenmate application

I"m not sure, but it sounds like you might be applying the app-id rule for encrypted traffic without setting up the decryption rule.  In order to apply inspected polcies on ssl traffic you will need to decrypt the the traffic first.  As you noted things like the url are not visible in the encrypted stream.

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/create-a-decryption-polic...

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L3 Networker

Re: zenmate application

hi , i have the decryption in place .. but when i do a pcap it doesnt show any url ., is there any way to create a custom app to block zenmate ?wihout url 

L7 Applicator

Re: zenmate application

Pretty sure the pcaps are not the decrypted internal view that is why you can't see the URL. 

 

To use the built in app-id (best option) you need to use the app-id on a decryption rule so that the stream can be fully seen to match the PA patterns.  Make sure the decryption is working and that the traffic from the clients to this application are hitting that rule.

 

you can enable decryption and setup a url blacklist.  And the same deal basically applies.  Decryption must be working and the rule has to be hit by the traffic.  But since there is an app-id for this you should work on the first option.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
L6 Presenter

Re: zenmate application

If I recall correctly, you will need to use the decryption port mirror feature and stream the packets to a connected device. There you should be able to view decrypted traffic using a tool such as tcpdump or wireshark.

 

 

L3 Networker

Re: zenmate application

If I recall correctly, you will need to use the decryption port mirror feature and stream the packets to a connected device. There you should be able to view decrypted traffic using a tool such as tcpdump or wireshark.

 

 

 decryption port mirror feature and stream the packets to a connected device. - can let me know how exactly to do this ... this is VM FW in my lAB

L3 Networker

Re: zenmate application

o use the built in app-id (best option) you need to use the app-id on a decryption rule so that the stream can be fully seen to match the PA patterns.  Make sure the decryption is working and that the traffic from the clients to this application are hitting that rule.

 

 you need to use the app-id on a decryption rule - can you please let me know how can i get this work 

L7 Applicator

Re: zenmate application

These are the rule instructions.  In step 3 you will need to include the app-id for zenmate.

 

And the rules must be ordered so that this rule is hit before any other rule that the zenmate traffic may match.  The policies are processed in order top to bottom and as soon as the traffic is matched we stop looking at further rules.

 

Enable logging so that you can verfiy what traffic is matching which rule.

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/create-a-decryption-polic...

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L3 Networker

Re: zenmate application

hi 

 

Thank you for the information ,but i have already done the steps and it is not detecting the application 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!