Block websites when using VPN

Reply
L1 Bithead

Block websites when using VPN

Some users started to use SoftEther VPN client on our company which allows them to bypass URL Filtering policy. How can we allow them to use VPN client but still allow or block access to certain websites. We already implemented SSL decryption rule but it is not working when they are using SoftEther VPN. 

Community Team Member

Re: Block websites when using VPN

Hi @nredaj ,

 

Is decryption working ?

How is the traffic identified by the firewall ?

 

Cheers,

-Kiwi.

 
L1 Bithead

Re: Block websites when using VPN

Hi @kiwi ,

 

Decyption is working. Based on monitoring logs, when using VPN client, all traffic are identied as:

 

Application: SSL

IP Protocol: TCP

Port: 443

Category: computer-and-internet-info

Community Team Member

Re: Block websites when using VPN

Hi @nredaj ,

 

How is decryption working ?

If the application is identified as SSL then decryption isn't working.

 

Note that on some scenarios decryption is impossible ... for example when unsupported protocols or ciphers are used or with certificate pinning for example.

 

Cheers,

-Kiwi.

 
L1 Bithead

Re: Block websites when using VPN

traffic.JPG

 

 

Hi @kiwi ,

 

It says decrypted. The problem is that users need to use SoftEther VPN to access certain website. But using this VPN client can bypass all our security rule in place. May be we can find another way to access the website without using VPN. 

 

Thank you very much @kiwi 

Community Team Member

Re: Block websites when using VPN

Hi @nredaj ,

 

You might be hitting this which could explain why a decrypted session is still showing up as SSL :

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cle8CAC

 

Have you checked with support already ?

 

Cheers !

-Kiwi,

 

 
Highlighted
L6 Presenter

Re: Block websites when using VPN

Hmm, I think the ssl decryption here will not be as helpful as usual.   you will only decrypt the outer wrapper (the actual tunnel) any ssl packets running through the tunnel will not be decrypted as negotiation for these will have taken place end to end via the tunnel, not the palo.

 

 

L7 Applicator

Re: Block websites when using VPN

@nredaj,

I would agree with @MickBall in this case. Decrypting this traffic isn't going to give you much information and won't allow you to actually perform URL FIltering; this is actually the exact reason VPNs are recommended on untrusted networks, the network operator can't decrypt enough of the traffic to actually see anything useful. 

L1 Bithead

Re: Block websites when using VPN

I understand that this could be out of Palo Alto's FW scope. 

 

This is a bit frustrating. Configuring static route in client side (windows OS) could have solve this issue but the website they're accessing is going thru CDN which cause IP address to change from time to time. Probable solution may be work out with SoftEther VPN configuration.

 

Thank you guys for all your inputs.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!