Browser User-Agent string detection/blocking/logging?

Reply
Not applicable

Browser User-Agent string detection/blocking/logging?

Hello,

Is it possible for the Palo Alto to natively identify, detect, block and/or log the browser user-agent information if the application is "web-browsing"?

Thanks,

-Paul

L4 Transporter

Re: Browser User-Agent string detection/blocking/logging?

Hi Paul,

we are not able to detect the User-agent string. What you can do is make a definition to search for specific user-agents. See this post:

https://live.paloaltonetworks.com/docs/DOC-1503

Marcel

Not applicable

Re: Browser User-Agent string detection/blocking/logging?

Thanks. Would it be possible to add this as a feature request? Should be able to identify, log, report and block based on user-agent string for relevant applications.

RNC
Not applicable

Re: Browser User-Agent string detection/blocking/logging?

For those who care, http://www.useragentstring.com/pages/All/ contains a decent list of UA strings. Notice that there are a lot of customised versions of IE out there. It is also possible to create custom app-id's to recognise different browsers, although I doubt this would be a good strategy (you care more about the content than the accessor).

L0 Member

Re: Browser User-Agent string detection/blocking/logging?

Hi All,

I have created a custom application to detect Firefox as an app, this seems to be working well as it is detecting it in the traffic logs.

We have a requirement to block Firefox as it enables the users to bypass the proxy setting set in the GPO in AD.

The problem:

I have a test rule to block firefox at the top of my policy set but it seems to only be active on news-media catagorized web sites like bbe,cnn etc

When browsing to Google or anyother site it hits my general access rule at the bottom of my policy list.

Any ideas? Have i created the app incorrectly ?

see attached appid

Many Thanks

Marc

L4 Transporter

Re: Browser User-Agent string detection/blocking/logging?

Hi Marc,

Looks OK.

Did you try looking at a PCAP and seeing if the User Agent is indeed there in the format entered in the custom app signature?  Or there is an extension to Firefox called Live Headers that should give this info.

Thanks

James

Highlighted
L0 Member

Re: Browser User-Agent string detection/blocking/logging?

Hi James,

Live headers is what I am using to get the detail from, ill need to investigate this a little further as it is only news-media catagories being blocked and yet I have no URL filtering enabled for those rule to block url's

Cheers

Marc

RNC
Not applicable

Re: Browser User-Agent string detection/blocking/logging?

It would also be possible to define this as a custom threat id, which may be a better model, as you consider the software a threat. It would log more clearly. To my mind the App-ID is a protocol recognition engine, even though it does support some well known web sites (to which site-specific protocols are inextricably linked).

FF users can obscure their User-Agent string, so it would be worth watching for hits on the addons.mozilla.org site.

L0 Member

Re: Browser User-Agent string detection/blocking/logging?

Thanks for the help,

Ill give it a go as I already see that the ACC is reporting firefox which is a bit missleading.

Regards

Marc

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!