Block Wetransfer Upload

Reply
L3 Networker

Block Wetransfer Upload

I was doing a test on allowing wetransfer download, but not allowing upload. Ran into some issues. I have TLS decryption enabled. I have removed the *.wetransfer.com decryption exclusion.

 

My security policy is looking for applications "wetransfer" and "amazon-cloud-drive-uploading". I have a file blocking policy that is set to block upload of any application - any files.

 

If I go to wetransfer.com, I can upload any file that I wish

 

anyone successfully doing this?

L7 Applicator

Re: Block Wetransfer Upload

@ce1028

Do you block connections that cannot be decrypted?

L3 Networker

Re: Block Wetransfer Upload

@vsys_remo no, in this lab, I do not have a decryption profile assigned. It's set to none

L3 Networker

Re: Block Wetransfer Upload

Issue turned out to be related to another issue I had.  However, now I see a bigger problem.

 

I can configure a wetransfer download rule without an issue.  However, creating a rule that ONLY allows upload to wetransfer is proving to be an issue.

 

The only way to get it to work is to create a rule that looks like this:

 

source zone: trust

source user: mydomain\wetransferuploadusers

destination zone: untrust

applications: web-browsing/ssl

Service: TCP/80, TCP/443

 

This is an issue, because this will allow uploads to any site that's allowed, that runs over 80/443, and any internet traffic these specific users do will match this rule.

 

There has to be a better way, just haven't found one yet

L7 Applicator

Re: Block Wetransfer Upload

@ce1028,

So maybe I missed something here, but you aren't actually doing decryption of this traffic at all? You won't be able to block uploads as you can't identify the traffic. Therefore you can't distinguish what is actually happening behind that SSL tunnel and you won't be able to identify amazon-cloud-drive-uploading to properly block this. You could use QoS to drastically slow down any uploads to make it unlikely anyone will actually use it, but you can't block it outright. 

+

L3 Networker

Re: Block Wetransfer Upload

@BPry So, originally, I was decrypting the traffic because I disabled the "*.wetransfer.com" decrypted exception that Palo adds under SSL Decryption Exclusion.

 

With decryption disabled, I'm still able to block wetransfer uploads using a file blocking policy (although small files, like 100k upload even with file blocking on, but that's another issue).

 

What I'm attempting to do now is the opposite. I've already successfully blocked uploads, but now I want to allow uploads for specific users.  The issue is, with decryption on or off, palo only identifies this traffic as web-browsing and ssl.  It does not categorize the upload as amazon-cloud-drive-upload, although it should.

 

There does not seem to be a good way to allow uploads to only wetransfer

 

Update: Just to be clear, I always had TLS Decryption enabled. When I mentioned disabled decryption, I was referring the "SSL Decryption Exclusion"

L3 Networker

Re: Block Wetransfer Upload

@ce1028

 

I have the same issue. Assuming you are in the US.  You can do this as a workaround. Keep your download security policy rule and create an upload security policy rule that looks like this

 

Destination Zone: untrust

Destination Address: wetransfer-us-prod-outgoing.s3.amazonaws.com    (need an address object)

Application: web-browsing, ssl

Service:  TCP_80, TCP_443

 

For EU, use wetransfer-eu-prod-outgoing.s3.amazonaws.com

 

 

L3 Networker

Re: Block Wetransfer Upload

My apologies, I typed this too fast. You don't need an address object.  Create a custom URL category containing the below

 

wetransfer-us-prod-outgoing.s3.amazonaws.com

wetransfer-us-prod-outgoing.s3.amazonaws.com/*

 

Then in the policy rule

 

Destination Zone: untrust

Destination Address: any

Application: web-browsing, ssl

Service: tcp-443

URL Category:  <name of custom URL category>

 

 

 

 

L3 Networker

Re: Block Wetransfer Upload

This worked, thank you.

 

The only problem now is I don't see this traffic in the URL Filtering log. If you specify the custom url category in the security policy rule, does that mean its no longer logged?

L7 Applicator

Re: Block Wetransfer Upload

@ce1028

URL logs are only generated by the URL filtering security profiles. When you add URL categories directly to the security policy, you are able to filter on URLs directly there but without also adding an URL filtering security profile, no URL log is generated. 

So in this case because you already restrict the rule to a custom URL category you could add a Log-All profile and you should see the URL logs.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!