Allowing just the application "web-browsing" breaks websites

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Allowing just the application "web-browsing" breaks websites

L3 Networker

I’ve been trying to figure this one out and would appreciate input from the community. What recommended "helper" applications must be enabled along with the application “web-browsing” to have websites work as close to normal as possible? For example allowing just the application “web-browsing” and “SSL” is not sufficient since plenty of websites use Flash and/or SOAP to work. I know the application Silverlight is also something required. I would like to hear what other web helper applications the community enabled along with flash, Silverlight etc to ensure the web browsing experience is not affected by the firewall rule.

I’m trying to build a rule to replace something like “Any” application with service ports “service-http” and “service-https”. This of course is the easiest to get web browsing working 100% but is of course a huge security hole. Tightening the rule down to application “web-browsing” and service “application –default” starts to break web sites.

5 REPLIES 5

L1 Bithead

We created an application filter that allows widely used apps for internet access.

Category:General Internet>Technology:Browser-based>Characteristic:Widely used

We then add that filter to an application group that contains SSL, and youtube. This has helped us tremendously in allowing basic internet access. 

L0 Member

You can start with creating for example Top 250 traffic report for, let's say, last 30 days, listing Application Name and Repeat Count so you can see what users are using and then the good old manual labor creating groups. Of course, it's usable if don't have university or school behind your filewall.

Another method is to create a custom appid where you check for http-header values such as HEAD, GET and POST and only allow those.

This way it will allow blank http requests if thats what you need (and blocking smtp, snmp and other stuff which isnt http).

However I think web-browsing should do this. A problem with appid in PA is that web-browsing is an appid on its own. It means that once the traffic is being recognized as some other appid you must allow that aswell.

For example youtube. The first request will most likely be logged as web-browsing, but soon the PA will discover that this is a specific appid named "youtube" and will handle the traffic as such. If you only allowed "web-browsing" then your traffic will suddently get blocked (unless you add youtube as allowed appid, or for that matter create an appid on your own with "loose" settings).

The custom App-ID for http-header values like HEAD, GET and POST would "anonymise" all HTTP applications if applied I think. The HTTP-based applications would be reduced to a single App-ID

Thats the point if you wish to allow http-only traffic.

Because as soon as the traffic is being identified as some other appid it will be that appid you need to allow (or if you use appid filter then its categories of appid's).

But I agree, it would be nice if the PA could identify a flow as several appid's at once instead of having only one appid per flow.

So if you allow web-browsing (or lets rename it to http-only as example) that would allow everything that is using a proper http based transmission including facebook, youtube etc compared to today where you must explicitly allow facebook, youtube etc (or setup an appfilter).

  • 6929 Views
  • 5 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!