05-02-2022 11:42 AM
Hello,
I'm trying to work on a request to totally block Spotify on our network for 1 host (could be more in the future) and I thought App-ID would be the best option for this but since it depends on SSL and web browsing it's dropping all traffic when I add those dependencies; which I figured it would.
When I just have Spotify in the application section of the pre rule I do see some Spotify app-ID blocked but I'm still getting access to Spotify, which I'm assuming is because it's using SSL and that is allowed.
Has anyone accomplished this before and could maybe give me a few pointers?
Thank you
05-02-2022 01:17 PM
I think (but not 100% sure) the spotify AppID will just identify the Spotify application/streaming audio, not general website traffic to Spotify. For that web traffic you will probably need to build a URL filter object:
Objects -> Custom Objects -> URL Category
[spotify]
spotify.com/
*.spotify.com/
spotifycdn.com/
*.spotifycdn.com/
sptfy.com/
*.sptfy.com/
<...etc...>
Policies -> Security
[block-user-from-spotify]
Srczone=Trust
Srcuser=badboy
Dstzone=Untrust
URL Category=[spotify]
Action=Deny
Or put the URL Category in your URL Filtering group with an appropriate Site Access setting. Effectiveness will depend on if you are fully decrypting SSL traffic or not. If you are pointing clients at a PA DNS proxy you could also setup a static entry with a dead IP.
05-02-2022 01:43 PM
Well the Custom URL somewhat did the trick. I can't get the actual player to come up so that helps somewhat. I guess I have to figure out all the other URLs Spotify could be using but not really sure how to accomplish that.
@Adrian_Jensen thank you
05-02-2022 01:50 PM
Knowing all the domains takes a bit of guess work and luck, no real foolproof way to do it. But once you have blocked a few of the major domains, it usually is rendered inaccessible. You can search security sites for them:
https://www.netify.ai/resources/applications/spotify
https://www.google.com/search?q=spotify+domains|urls
Though take it with a grain of salt... some of the listed domains, like pscnd.co, are CDNs that serve many different websites.
05-05-2022 06:29 AM
Yeah this is a tough one due to the fact the actual spotify.com page uses https(443) so I can't really block that without breaking pretty much all internet access. I may just have to go with the player being broken as the "fix" for me issue. At least the user can't play music which is the whole purpose of going to spotify
09-22-2024 11:16 PM
To block Spotify effectively for a specific host on your network using App-ID, you're on the right track, but SSL traffic complicates things due to encryption. Since Spotify often uses SSL (HTTPS), even if the App-ID identifies some of the traffic, it may not block all of it. To address this, you could implement SSL decryption, allowing the firewall to inspect the encrypted traffic and apply the App-ID effectively. However, this could introduce privacy concerns or technical overhead. Another option could be to create a custom URL filtering policy that blocks Spotify’s domains (like spotify.com) in combination with the App-ID rule. Make sure to apply these rules specifically to the host or hosts in question by targeting their IP addresses. Additionally, consider reviewing your SSL decryption policy to ensure it’s working correctly with your App-ID and pre-rule configurations. Many organizations have found success by refining a combination of App-ID, URL filtering, and SSL decryption policies.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
