Question about outbound hostname restrictions

Reply
L1 Bithead

Question about outbound hostname restrictions

I'm familiar with user based restrictions to outbound resources, such as youtube, but is it possible with say, a regex expression, to block access to a site like youtube through a list of machines that include a name like kiosk, as in cakiosk01, cokiosk02, flakiosk03, etc. ?

 

 

L7 Applicator

Re: Question about outbound hostname restrictions

Hello,

In the past what I have done is put the kiosks/guest machines onto their own vlan and hten write the policy around the source IP's.

 

Regards,

L7 Applicator

Re: Question about outbound hostname restrictions

@murphyca,

Not something that you could do on the box. The VLAN option that @Otakar.Klier presented is a good option. Otherwise you could simply collect the DHCP logs and look at which IP the machines are grabbing and add them to as an address-object with a given tag; this tag could then be used to build out a dynamic address-group. Doing this programatically would likely be best. 

As an example:

Schedule some sort of scripting language like Python to scour the DHCP logs for the machine name. Once the machine name is found grab the IP from the log and use that value to update the address object with the recorded IP through the API. Then you just need to schedule the script to pull the DHCP logs every once in a while to keep everything updated. 

L7 Applicator

Re: Question about outbound hostname restrictions

Do you mean to block from a specific source by client hostname? The client's hostname is never sent as part of their HTTP request, so there would be nothing to trigger on there.

 

I'd recommend setting up user-id so that you have the username logged into the kiosks and can simply apply a URL filtering policy. 

 

If you're going TO a site with the name "kiosk" in the host header, you can set up a custom vulnerability or spyware signature using the host header as the context and a regex of "..kiosk0.+" (not tested) that could trigger for you.

L7 Applicator

Re: Question about outbound hostname restrictions

@murphyca What you actually asking for is - as already mentionned - not possible. But depending on the configurarion of your network and these computers there are some ways for this:

  • DHCP Reservations so that these computers always get rhe same IPs and you then could create addressobjects for
  • Seperate VLAN for these computers as written by @Otakar.Klier (probably a good idea anyway to seperate these computers from the rest of your network)
  • Configure a default user that is logged in automatically, so you will be able to write user-based rules (as mentionned by @gwesson)
  • Parse the DHCP logs to create dynamic addressgroups which you can use as source in your policy (as proposed by @BPry)
  • Use FQDN addressobjects which the firewall will update according to the TTL of the DNS entry
  • Configure the computers browsers to use custom user agent strings and create a custom application that matches on this user agent string
L1 Bithead

Re: Question about outbound hostname restrictions

The challenge is over 400 remote locations feeding through corporate. The architecture would be difficult to change from that perspective. Possible, but difficult.

L1 Bithead

Re: Question about outbound hostname restrictions

In speaking to PAN support, looks like we'd have to do a reverse DNS lookup for the internal hosts, which may be resource intensive. I will explore the ID of scraping the DHCP configuration though. That should be less resource intensive. The client state will be difficult to change at the moment. May be worth investigating though down the road as an alternative roadmap.

L7 Applicator

Re: Question about outbound hostname restrictions

Hello,

One other thing I have done in the past is kind of is use user-id and have those kiosks and desk users excluded. What I mean is create a web browsing policy and select the source user as /domain-users, this way all domain users get the less restrictive policy. Then a second policy after that one for everything else and have a more restrictive policy. So if a user just see's a kiosk and opens the browser, they get the more restrictive policy since that IP is not mapped to a user-id.

 

Hope that makes sense.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!