Allow application facebook before denying application facebook-chat

Reply
Highlighted
Cyber Elite

Allow application facebook before denying application facebook-chat

 

Need to block facebook chat and allow Facebook for some user group.

 

i was reading this 

 

Allow application facebook before denying application facebook-chat

 

Does it mean block facebook chat first then allow application facebook?

MP

Accepted Solutions
Highlighted
L2 Linker

Yes.  To remove confusion, let's see if I can get a picture that demonstrates.

I think this would do what you're wanting to do - let me know if this helps clarify:

 

 

FB-Example.PNG

 

 

That would deny anyone on "inside" from traffic identified as Facebook-Chat, but any other Facebook traffic would be allowed.

View solution in original post


All Replies
Highlighted
L2 Linker

I think it will depend on how you're allowing facebook.

https://applipedia.paloaltonetworks.com/

 

If you look for "facebook", that collection encapsulates facebook-chat.  So if you have a rule that allows "facebook", you will allow chat, and if you want to block it, the deny rule needs to be a higher order rule above that.  If you allow "facebook-base", then you can deny facebook-chat in a rule below it.  By default, interzone traffic will be denied unless you have an implicit-allow rule in your policy.

 

One other approach is to look at controlling Facebook by using an Application Filter - Facebook is specifically described as the example:

https://live.paloaltonetworks.com/t5/Community-Blog/What-are-the-recommended-applications-for-intern...

 

Highlighted
Cyber Elite

Thanks for replying to the post

 

Can you please confirm below 

 

Allow application facebook before denying application facebook-chat

 

Does it mean block facebook chat first then allow application facebook?

MP
Highlighted
L2 Linker

Yes.  To remove confusion, let's see if I can get a picture that demonstrates.

I think this would do what you're wanting to do - let me know if this helps clarify:

 

 

FB-Example.PNG

 

 

That would deny anyone on "inside" from traffic identified as Facebook-Chat, but any other Facebook traffic would be allowed.

View solution in original post

Highlighted
Cyber Elite

Thanks for confirming that.

Wording was little tricky.

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!