How do we config a basic setup for guest wifi app blocking

Reply
Highlighted
Not applicable

How do we config a basic setup for guest wifi app blocking

We are relatively new to Palo Alto detailed configs, although we have used url filtering, av filtering, etc for some time.  We want to start doing a better job blocking at the application level on our guest wifi, especially in the areas of peer-to-peer, etc.  Are there some basic guidelines or configuration guides on how to get started.  Baseline I suppose.

L4 Transporter

Re: How do we config a basic setup for guest wifi app blocking

it@watermark.org

We are relatively new to Palo Alto detailed configs, although we have used url filtering, av filtering, etc for some time.  We want to start doing a better job blocking at the application level on our guest wifi, especially in the areas of peer-to-peer, etc.  Are there some basic guidelines or configuration guides on how to get started.  Baseline I suppose.

How is your guest WiFi configured?

I have mine on a seperate DMz off the PA - and it's a simple matter to do a WiFi zone to Internet zone restriction in both applications (web-browsing, SSL and DNS only) and rate limiting (QoS limited to 2 megabits per second absolute outbound).

If your guest WiFi is intermixed with your normal network, how do you authenticate,allow acces to it? Does the "guest" segment have a specific IP range associated with it, or is it just jumbled with your normal network?

Not applicable

Re: How do we config a basic setup for guest wifi app blocking

Guest Wifi is done via Aruba networks, so all traffic is run through the controller.  In the past we have used the stateful firewall which we can configure separately for each SSID, which works fine... but since we are separating our guest wifi into a separate IP range, we use the Palo Alto to configure different filtering rules, antivirus policies, etc for the traffic running on that IP range (i.e. the guest wifi) traffic.

This works very well...

What I was specifically ask about is this.  Right now, we are using the aruba firewall to do port blocking on the guest wifi to limit certain applications.  This is obviously difficult and inefficient.  What we would LIKE to do is the following.

Take all traffic traveling over the guest wifi network and apply application filtering (just like we already do for url filtering, antivirus, etc)

The question... what is the best way to provide application filtering to this traffic?

Setup a rule that blocks each application individually?  Set up a rule with several applications in it as blocked?  Is there a better way to filter (block all peer-to-peer for example) without having to setup each and every application individually?

L2 Linker

Re: How do we config a basic setup for guest wifi app blocking

Yes, use filters based on the application sub-category. That will also take care of new apps that are defined in the future without having to update your rules. Go to Objects/Application Filters, and create filters for the types of apps you want to restrict (for example, file-sharing or instant-messaging), and then use those filters in your rules instead of individual apps. If there are individual apps that you want to allow in a category that you want to block, write a rule for the individual allowed apps that comes before the rule for the blocked categories.

L4 Transporter

Re: How do we config a basic setup for guest wifi app blocking

it@watermark.org

The question... what is the best way to provide application filtering to this traffic?

Setup a rule that blocks each application individually?  Set up a rule with several applications in it as blocked?  Is there a better way to filter (block all peer-to-peer for example) without having to setup each and every application individually?

I'd go an application group.

From the "Objects" tab, select "Application groups" and create one - call it something obvious like "Guest_Wireless_Allowed" or something, then add all the apps you want the guests to be able to use.

Apply it to your zones (source wireless, destination internet (or inside)) with an ALLOW (don't forget the "application default" setting for your "services' section), then apply another rule with a deny everything else.

It's easier to specify allowed applications than to allow everything and deny what you don't want - with new applications appearing all the time, allowing only those ones you know you want to go out is way better - that way, any new sneaky application is denied and people can ask for it to be let through - much easier to manage/know what is happening that way!

Cheers.

Not applicable

Re: How do we config a basic setup for guest wifi app blocking

Off topic: how is your connection from your controller to your PAN setup, is it in vwire or tap mode and is all wireless traffic being inspected?

L2 Linker

Re: How do we config a basic setup for guest wifi app blocking

This answered my question on how to block a specific sub-category, thanks! :smileyhappy:

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!