Restrict the user agent on Palo Alto firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Restrict the user agent on Palo Alto firewall

L0 Member

Hi All

  We have a requirement to restrict the user agent through palo alto firewall.For example allow web-browsing only from internet explorer 10 and not from any other version of IE or from any other browser like firefox or google chrome.Kindly advise this is possible and how

Regards

Anvar

4 REPLIES 4

L5 Sessionator

Hi injazat-soc

Did you go through this document: How to Block Google Chrome

Look for the user-agent for IE 10 requests and allow that application only.

Hope it helps!

L4 Transporter

injazat-soc,

We currently do not have any defined applications for Internet Explorer, Google Chrome or Firefox.  I have seen it setup where Google Chrome can be blocked, due to a custom signature that you can create, as mentioned above by @bat.

We could make a rule to allow Internet Explorer only, once we create a signature that will trigger the rule, yet we would also have to create another 'deny' rule to block every other browser.  So to accomplish this, we are looking at creating a signature for almost every browser you can think of, in order to allow traffic only to Internet Explorer. To go a step further, we would have to determine how to create a signature that could differentiate between browser version, which may not be viable.

The firewall is unaware of the browser the user will be browsing the internet with. It only knows that it is passing traffic on port 80, or 443.

Hope this clarified a few things.

Thanks!

Please do not forget to mark any 'helpful' or 'correct' answers.

The pattern for chrome used says only "Pattern:      Chrome/"

We try to do the same but for internet explorer.

We want to allow Chrome but not Internet Explorer.

What "Pattern: " should we use ? 

Should we be looking at user-agent ? 

 

Hi Mariusz,

 

yes, you should be looking at user agent strings. You have a pretty good list here to start with: http://useragentstring.com/pages/useragentstring.php

 

You don't need to block "all" browsers, just those that might be installed onto your systems, right? If that is corporate or whatever domained environment, you need to block several versions of IE explorer that preceed IE10, so you need to add five-six "OR" rules to a first example like that one with Chrome, and your agent lists need to have at least 7 characters. You can do that with blocking separately "MSIE\ 6\.", than "MSIE\ 5.", whatever - 7, 8, 4, 3 2. You have 7 characters there, "MSIE 6." but you are escaping blank space and dot with backspace.

 

Edit: I just re-read your last question 🙂

If you want to block just IE, you can do that with "atible;\ MSIE" - will do the trick to catch (m)any versions of IE. If not, see what you have and play with it.

 

You have somewhat technical document here: https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/5... that describes all your possibilities for matching (you are specifically matching here a "http-req-headers" that is described in that document) and at the end of the document you can find an explanation on regular expressions that are used for pattern-match.

 

Best regards

 

Luciano

  • 7324 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!