09-14-2017 09:35 AM
hi
zenmate application is available in PA app but it is not blocking the traffic ,
tried using the URL based but pcap doesnt show any URL
tried to block through client hello SNI but no lcuk ....
please advise how i can block this on PA
app name - zenmate - browser based proxy
09-14-2017 10:43 AM
If a known App-ID is not working as expected you should definitely open a support case to troubleshoot.
Given that this is an encrypted, evasive VPN/proxy app I'm not sure how effective a custom signature would be.
Benjamin
09-18-2017 03:13 AM
I"m not sure, but it sounds like you might be applying the app-id rule for encrypted traffic without setting up the decryption rule. In order to apply inspected polcies on ssl traffic you will need to decrypt the the traffic first. As you noted things like the url are not visible in the encrypted stream.
09-27-2017 09:37 AM
hi , i have the decryption in place .. but when i do a pcap it doesnt show any url ., is there any way to create a custom app to block zenmate ?wihout url
09-28-2017 04:14 AM
Pretty sure the pcaps are not the decrypted internal view that is why you can't see the URL.
To use the built in app-id (best option) you need to use the app-id on a decryption rule so that the stream can be fully seen to match the PA patterns. Make sure the decryption is working and that the traffic from the clients to this application are hitting that rule.
you can enable decryption and setup a url blacklist. And the same deal basically applies. Decryption must be working and the rule has to be hit by the traffic. But since there is an app-id for this you should work on the first option.
09-28-2017 09:38 AM
If I recall correctly, you will need to use the decryption port mirror feature and stream the packets to a connected device. There you should be able to view decrypted traffic using a tool such as tcpdump or wireshark.
09-28-2017 10:30 AM
If I recall correctly, you will need to use the decryption port mirror feature and stream the packets to a connected device. There you should be able to view decrypted traffic using a tool such as tcpdump or wireshark.
decryption port mirror feature and stream the packets to a connected device. - can let me know how exactly to do this ... this is VM FW in my lAB
09-28-2017 10:34 AM
o use the built in app-id (best option) you need to use the app-id on a decryption rule so that the stream can be fully seen to match the PA patterns. Make sure the decryption is working and that the traffic from the clients to this application are hitting that rule.
you need to use the app-id on a decryption rule - can you please let me know how can i get this work
09-29-2017 02:38 AM
These are the rule instructions. In step 3 you will need to include the app-id for zenmate.
And the rules must be ordered so that this rule is hit before any other rule that the zenmate traffic may match. The policies are processed in order top to bottom and as soon as the traffic is matched we stop looking at further rules.
Enable logging so that you can verfiy what traffic is matching which rule.
10-01-2017 09:08 AM
hi
Thank you for the information ,but i have already done the steps and it is not detecting the application
10-01-2017 10:14 AM
hi
it seems i found out the work around for this
chrome extension zenmate - once the website which is blocked on the FW can be accessible if the ssl decryption is not enabled after connecting the zenmate. after the zenmate is connected and if the ssl decrypt is not enabled the blocked website will work , once you enable the ssl decrypt i.e ssl forward proxy it will start blocking the traffic as before so in this case connecting to zenmate chrome extension is of no use
zenmate application - zenmate installed app on local system behaviour is different as extension , ssl decrypt cannot block this . zenmate app is using IKE application to connect to the proxy server , we have to block the IKE application in the security policy and it will not allow the connection to be successful , but we have to keep in mind that IKE is been used for ipsec so if you have ipsec vpn then it can block the legitimate traffic . so in this case you can select the zone from may be trust to untrust i,e direct internet and apply the policy so it will only block the traffic which is gloing to untrust and not to the ipsec tunnel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
