I am attempting to block web advertisements on our PA-3020. We have two of these devices which utilize Panorama. We have blocked anything categorized as "web-advertisement" on the firewall, which is great, but a ton of ads are still getting through. What we would like to do is as follows:
Does anyone have any suggestions we can use? For our typical malware blacklisting, the sites just do not resolve and show a "page cannot be displayed" message. This is logged, which is great, but for the web advertisement blocking, our CIO wants it to show an "Ad Blocked" message. This message works for anything classified as "web-advertisement."
Any suggestions would be greatly appreciated.
Solved! Go to Solution.
To the best of my knowledge, if you are using an EBL then you will simply 'deny' the connections from being made. I don't believe that PA has a 'denied' responce page in the context of denying hosts from the network, you can only get that with application response pages.
It might be a better option to look into rolling out ad-blocking via group policy. There are plenty of guides that you can follow and it doesn't take long at all, you also get the added benefit of disabling it when the user wants to access a site that would have otherwise denied access if it couldn't reach it's ad servers.
Thanks for the reply, BPry. I had it configured previously to just block the sites, however, without showing the "ad blocked" message, our CIO wasn't pleased with that. The GPO is managed by our large company, so it would be worth reaching out to them I believe. I appreciate your input very much.
It's a rather blunt method, but depending on how many domains you're populating in the EBL can you just not create your own local DNS poisoning?
Stand up a local internal page with the required block page and for ever domain just put a DNS entry on your network to point hosts to that internal page?
One great way I could think of doing this is to go under Objects, External Dynamic Lists... and create a new Dynamic Domain Lists via Add and selecting Type = Domain List. No doubt, you put the URL and the frequency it updates.
Next to enable it...
Security Profiles, Anti-Spyware, and open the DNS Signatures tab.
In there, you can apply an External Dynamic LIst Domains... I personally recommend "singhole"
Now it is just a matter of going to your policy that lets your Internet traffic go out and changing the profile to that Anti Spyware profile. Personally, I would recommend doing a Security Profile Group, so you can have consistency.throughout all of your Policies that do filtering via some preconfigured templates that you make.
Another option is to create a URL Block List... Same as aboe only you apply it to the URL Filtering under Security Profile. It basically shows up with a little "+" next to it. Naturally, you would need to change it in your active URL policy to an action of "Block"
Another way is to create an IP block list... Again it is in the External Dynamic Lists.
You would generally apply these via a security policy before your Internet policy. Might make a policy that says something like your normal Inside TO Outside (Destination Address Dynamic IP List YOURBLOCKLIST) ... DENY
Then it ends up in the firewall logs with that rule showing it dropped if the IP address is in the list.
No doubt, you could also use hte "Destination Negate" option in your Internet Out rule and simply only ALLOW Internet traffic that doesn't match an IP on a Dynamic IP List.
Hope that helps... there is a TON of flexibility with the Palo Alto to block ads.
It depends on which list-type you use what your block page will look like.
For example, blocking IPs more or less simply show up in the log. If you do this, you want to reset-client or reset-both... otherwise the browser will just hang a while before timing out its TCP session, but you don't really get a block message.
If you are doing a Domain Block, that will give you your Antivirus / Anti-Spyware Block Page...
If you are doing an Extra Dynamic List on the URL Filtering, which is what you most likely want to do then it would use your normal URL Filtering block page.
Check this one out: https://pgl.yoyo.org/as
EDL as a Domain list:
EDL as an URL list:
I tried the EDL with the follwoing link :
but this list dosen`t have starts for domains like " *.hostname.com" , I tried another list that have *.xyz.com but it didn`t work
it give me that the EDL is not vaild.
Is the EDL supports Starts ( ex:*.xyz.com) ??
any suggestions ?
I am using Paloalto 7.1, I added the same EDL but with Plaintext and it works well
This the list that I used , it contains *.xyz.com
List format requirements
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!