How to filter browsertype based requests

Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to filter browsertype based requests

L1 Bithead

Hello (we need support 🙂 ),

we want to filter on our PA 500 all http traffic outbound on User-Agent type.

As explanation: We want to know (and later block) all users which are using MSIE 7.0 (for example) for outgoing browsing.

Following ideas from our side but actually no success on the implementation.

1) Using DataFiltering on a global outbound web-browsing policy

Using a Data Pattern with .*(compatible; MSIE)

This obviously does not work.

2) Using a self created Application

with same pattern

This obviously does not work.

<response status="success" code="19">
      <result total-count="1" count="1">
        <entry name="sh_browser_type">
          <category admin="zieglerj" time="2010/01/20 15:38:15">media</category>
          <subcategory admin="zieglerj" time="2010/01/20 15:38:15">photo-video</subcategory>
          <technology admin="zieglerj" time="2010/01/20 15:38:15">browser-based</technology>
          <risk admin="zieglerj" time="2010/01/20 15:38:15">5</risk>
          <consume-big-bandwidth admin="zieglerj" time="2010/01/20 15:38:15">no</consume-big-bandwidth>
          <able-to-transfer-file admin="zieglerj" time="2010/01/20 15:38:15">no</able-to-transfer-file>
          <used-by-malware admin="zieglerj" time="2010/01/20 15:38:15">no</used-by-malware>
          <evasive-behavior admin="zieglerj" time="2010/01/20 15:38:15">no</evasive-behavior>
          <has-known-vulnerability admin="zieglerj" time="2010/01/20 15:38:15">no</has-known-vulnerability>
          <pervasive-use admin="zieglerj" time="2010/01/20 15:38:15">no</pervasive-use>
          <prone-to-misuse admin="zieglerj" time="2010/01/20 15:38:15">no</prone-to-misuse>
          <tunnel-applications admin="zieglerj" time="2010/01/20 15:38:15">no</tunnel-applications>
          <tunnel-other-application admin="zieglerj" time="2010/01/20 15:38:15">no</tunnel-other-application>
          <data-ident admin="zieglerj" time="2010/01/20 15:38:15">no</data-ident>
          <virus-ident admin="zieglerj" time="2010/01/20 15:38:15">no</virus-ident>
          <file-type-ident admin="zieglerj" time="2010/01/20 15:38:15">no</file-type-ident>
          <spyware-ident admin="zieglerj" time="2010/01/20 15:38:15">no</spyware-ident>
          <decoder admin="zieglerj" time="2010/01/20 15:38:15">http</decoder>
              <member admin="zieglerj" time="2010/01/20 15:38:15">tcp/dynamic</member>
            <entry name="User_Agent_IE">
              <comment admin="zieglerj" time="2010/01/20 15:38:15">Identifies the User-Agent of MSIE 7.0</comment>
              <order-free admin="zieglerj" time="2010/01/20 15:38:15">yes</order-free>
              <scope admin="zieglerj" time="2010/01/20 15:38:15">protocol-data-unit</scope>
                <entry name="AND 1">
                    <entry name="OR 1">
                      <context admin="zieglerj" time="2010/01/20 15:38:15">http-req-headers</context>
                      <method admin="zieglerj" time="2010/01/20 15:38:15"/>
                      <pattern admin="zieglerj" time="2010/01/20 15:38:15">MSIE 7/.</pattern>


L5 Sessionator

Hi Smartboy,

The second option is probably your best bet with the custom app.  Support has requested that you open a case with them so that they can work with you to create it.

L4 Transporter

Your App-ID looks good except for a few things. Your pattern is really close but should be "MSIE 7\.0". With no other changes, this should start identifying traffic from IE7 (or at least traffic that claims to be IE7).

Once you get the signature working, you will likely run into another issue. It looks like you did not check the "Continue scanning for other applications" checkbox. This is fine if your intent is to block IE7, but if you want to allow IE7, this will turn all browsing traffic into IE7 for those users. This means you will not see what other web-based applications they are running. If you are just interested in knowing who is running IE7, then you could check that box and then the system would continue scanning for other applications. With this approach, only the traffic that is generic web-browsing would get classified as IE7 since no other more specific app would be found. YouTube would continue to show up as YouTube and Facebook would continue to show up as Facebook. However, if you did an ACC filter on IE7, you will be nearly guaranteed to have a least one session from each IE7 user that was generic web-browsing (now showing up as IE7), allowing you to know who is running it without losing visibility into more detail app info.

Let us know if this works.


Hy, Thanks for response.

I will open a case.

Thanks mike for this "short" answer.

I will try this out as soon as possible and let you know the result.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!