zenmate application

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

zenmate application

L3 Networker

hi 

 

zenmate application is available in PA app but it is not blocking the traffic , 

tried using the URL based but pcap doesnt show any URL

tried to block through client hello SNI but no lcuk ....

please advise how i can block this on PA 

 

app name - zenmate - browser based proxy 

10 REPLIES 10

L6 Presenter

If a known App-ID is not working as expected you should definitely open a support case to troubleshoot.

 

Given that this is an encrypted, evasive VPN/proxy app I'm not sure how effective a custom signature would be. 

 

Benjamin

L7 Applicator

I"m not sure, but it sounds like you might be applying the app-id rule for encrypted traffic without setting up the decryption rule.  In order to apply inspected polcies on ssl traffic you will need to decrypt the the traffic first.  As you noted things like the url are not visible in the encrypted stream.

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/create-a-decryption-polic...

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

hi , i have the decryption in place .. but when i do a pcap it doesnt show any url ., is there any way to create a custom app to block zenmate ?wihout url 

Pretty sure the pcaps are not the decrypted internal view that is why you can't see the URL. 

 

To use the built in app-id (best option) you need to use the app-id on a decryption rule so that the stream can be fully seen to match the PA patterns.  Make sure the decryption is working and that the traffic from the clients to this application are hitting that rule.

 

you can enable decryption and setup a url blacklist.  And the same deal basically applies.  Decryption must be working and the rule has to be hit by the traffic.  But since there is an app-id for this you should work on the first option.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

If I recall correctly, you will need to use the decryption port mirror feature and stream the packets to a connected device. There you should be able to view decrypted traffic using a tool such as tcpdump or wireshark.

 

 

If I recall correctly, you will need to use the decryption port mirror feature and stream the packets to a connected device. There you should be able to view decrypted traffic using a tool such as tcpdump or wireshark.

 

 

 decryption port mirror feature and stream the packets to a connected device. - can let me know how exactly to do this ... this is VM FW in my lAB

o use the built in app-id (best option) you need to use the app-id on a decryption rule so that the stream can be fully seen to match the PA patterns.  Make sure the decryption is working and that the traffic from the clients to this application are hitting that rule.

 

 you need to use the app-id on a decryption rule - can you please let me know how can i get this work 

These are the rule instructions.  In step 3 you will need to include the app-id for zenmate.

 

And the rules must be ordered so that this rule is hit before any other rule that the zenmate traffic may match.  The policies are processed in order top to bottom and as soon as the traffic is matched we stop looking at further rules.

 

Enable logging so that you can verfiy what traffic is matching which rule.

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/create-a-decryption-polic...

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

hi 

 

Thank you for the information ,but i have already done the steps and it is not detecting the application 

 

hi 

 

it seems i found out the work around for this 

 

chrome extension zenmate - once the website which is blocked on the FW can be accessible if the ssl decryption is not enabled after connecting the zenmate. after the zenmate is connected and if the ssl decrypt is not enabled the blocked website will work , once you enable the ssl decrypt i.e ssl forward proxy it will start blocking the traffic as before so in this case connecting to zenmate chrome extension is of no use 

 

zenmate application - zenmate installed app on local system behaviour is different as extension , ssl decrypt cannot block this . zenmate app is using IKE application to connect to the proxy server , we have to block the IKE application in the security policy and it will not allow the connection to be successful , but we have to keep in mind that IKE is been used for ipsec so if you have ipsec vpn then it can block the legitimate traffic . so in this case you can select the zone from may be trust to untrust i,e direct internet and apply the policy so it will only block the traffic which is gloing to untrust and not to the ipsec tunnel 

 

 

 

  • 5157 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!