Allow application facebook before denying application facebook-chat

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Allow application facebook before denying application facebook-chat

Cyber Elite
Cyber Elite

 

Need to block facebook chat and allow Facebook for some user group.

 

i was reading this 

 

Allow application facebook before denying application facebook-chat

 

Does it mean block facebook chat first then allow application facebook?

MP

Help the community: Like helpful comments and mark solutions.
1 accepted solution

Accepted Solutions

Yes.  To remove confusion, let's see if I can get a picture that demonstrates.

I think this would do what you're wanting to do - let me know if this helps clarify:

 

 

FB-Example.PNG

 

 

That would deny anyone on "inside" from traffic identified as Facebook-Chat, but any other Facebook traffic would be allowed.

View solution in original post

4 REPLIES 4

L2 Linker

I think it will depend on how you're allowing facebook.

https://applipedia.paloaltonetworks.com/

 

If you look for "facebook", that collection encapsulates facebook-chat.  So if you have a rule that allows "facebook", you will allow chat, and if you want to block it, the deny rule needs to be a higher order rule above that.  If you allow "facebook-base", then you can deny facebook-chat in a rule below it.  By default, interzone traffic will be denied unless you have an implicit-allow rule in your policy.

 

One other approach is to look at controlling Facebook by using an Application Filter - Facebook is specifically described as the example:

https://live.paloaltonetworks.com/t5/Community-Blog/What-are-the-recommended-applications-for-intern...

 

Thanks for replying to the post

 

Can you please confirm below 

 

Allow application facebook before denying application facebook-chat

 

Does it mean block facebook chat first then allow application facebook?

MP

Help the community: Like helpful comments and mark solutions.

Yes.  To remove confusion, let's see if I can get a picture that demonstrates.

I think this would do what you're wanting to do - let me know if this helps clarify:

 

 

FB-Example.PNG

 

 

That would deny anyone on "inside" from traffic identified as Facebook-Chat, but any other Facebook traffic would be allowed.

Thanks for confirming that.

Wording was little tricky.

MP

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 3716 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!