Allowing SSL and Web-browsing on dependent applications open unwanted Internet Access.

Reply
Highlighted
L1 Bithead

Allowing SSL and Web-browsing on dependent applications open unwanted Internet Access.

I have created a rule which requires access to Adobe-creative clolud. This application is dependent on SSL and web browsing. Setting this rule to allow aslo grants access to websites like Amazon.com or general internet access.

Is there a way to make it work just for the particular app? or I am missing something in creating the policy?

talk.JPG

Thanks.

Tags (2)
Highlighted
L2 Linker

Hi Sanasheikh,

 

You can further lock down http/https access based on URL category.  Pretty sure you can use custom URL categories without URL Filtering license if you did not have one.

 

Hope this helps.

regards,

Ben

Highlighted
Cyber Elite

Hi @Sanasheikh

 

In some cases it also works without adding the dependencies. You then probably get a commit warning, but it will not allow general webaccess.

Or as @Ben-W already pointed out, you can use a custom url category to restrict the access to only Adobe domains. The list with quite a few entries from adobe you can find here: https://helpx.adobe.com/in/enterprise/kb/network-endpoints.html

(And yes, using a custom URL category does not require a URL Filtering license)

 

Regards,

Remo

Highlighted
L1 Bithead

Thank you @Ben-W and @vsys_remo I will create a URL category for adobe and hopefully that should fix it. But I am still confused why adding ssl and web-browsing for a specific app allows unwanted internet access. With the current set up I can almost browse anything like amazon.com etc.

 

We do have a URL Filtering License for our firewall. Should I create a allow/block list and add to this adobe cc policy?

 

Highlighted
Cyber Elite

I would recommend creating a custom url category which you add directly to the security policy rule (not via security profile).

 

 

Highlighted
L1 Bithead

Sure, I will do that. So Even though other appliations are not listed, Palo Alto opens up unwanted access if URL Category is not specified. 

Highlighted
Cyber Elite

@Sanasheikh,

If you are allowing a dependent application within a security rule then it's allowed just as any other application. So if I had a rule that allowed [ ssl web-browsing google-base ] other traffic would still match this rule until/if it was able to be identified as a more specific application. 

Others have already pointed out ways around this so I won't rehash it, but you'll essentially want to pick one method or another to address this. 

Highlighted
Cyber Elite

The "problem" is that not every application can be recocnized within a few packets. In some cases you first need to allow these dependencies, to allow enough traffic that the firewall will be able to see the adobe cc application. And again in other cases decryption is required to gain this visibility, because without that for example the firewall only sees web-browsing or ssl.

You actually don't have to allow the dependencies, but as I wrote, in some cases paloalto can only guarantee full functionality of the various apps when you allow these dependencies. As you see this can also have negative/unwanted sideeffects which you can restrict with this solution with the custom url category.

Highlighted
L1 Bithead

So adding URL filtering or URL category is the solution. Thank you so much for your help everyone. :)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!