Browser User-Agent string detection/blocking/logging?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Browser User-Agent string detection/blocking/logging?

Not applicable

Hello,

Is it possible for the Palo Alto to natively identify, detect, block and/or log the browser user-agent information if the application is "web-browsing"?

Thanks,

-Paul

9 REPLIES 9

L4 Transporter

Hi Paul,

we are not able to detect the User-agent string. What you can do is make a definition to search for specific user-agents. See this post:

https://live.paloaltonetworks.com/docs/DOC-1503

Marcel

Thanks. Would it be possible to add this as a feature request? Should be able to identify, log, report and block based on user-agent string for relevant applications.

For those who care, http://www.useragentstring.com/pages/All/ contains a decent list of UA strings. Notice that there are a lot of customised versions of IE out there. It is also possible to create custom app-id's to recognise different browsers, although I doubt this would be a good strategy (you care more about the content than the accessor).

Hi All,

I have created a custom application to detect Firefox as an app, this seems to be working well as it is detecting it in the traffic logs.

We have a requirement to block Firefox as it enables the users to bypass the proxy setting set in the GPO in AD.

The problem:

I have a test rule to block firefox at the top of my policy set but it seems to only be active on news-media catagorized web sites like bbe,cnn etc

When browsing to Google or anyother site it hits my general access rule at the bottom of my policy list.

Any ideas? Have i created the app incorrectly ?

see attached appid

Many Thanks

Marc

Hi Marc,

Looks OK.

Did you try looking at a PCAP and seeing if the User Agent is indeed there in the format entered in the custom app signature?  Or there is an extension to Firefox called Live Headers that should give this info.

Thanks

James

Hi James,

Live headers is what I am using to get the detail from, ill need to investigate this a little further as it is only news-media catagories being blocked and yet I have no URL filtering enabled for those rule to block url's

Cheers

Marc

Not applicable

It would also be possible to define this as a custom threat id, which may be a better model, as you consider the software a threat. It would log more clearly. To my mind the App-ID is a protocol recognition engine, even though it does support some well known web sites (to which site-specific protocols are inextricably linked).

FF users can obscure their User-Agent string, so it would be worth watching for hits on the addons.mozilla.org site.

Thanks for the help,

Ill give it a go as I already see that the ACC is reporting firefox which is a bit missleading.

Regards

Marc

How did you input this into the firewall or panorama?

 

  • 12467 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!