App-ID confusion and blocking spotify

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

App-ID confusion and blocking spotify

L1 Bithead

Hello, 

I'm trying to work on a request to totally block Spotify on our network for 1 host (could be more in the future) and I thought App-ID would be the best option for this but since it depends on SSL and web browsing it's dropping all traffic when I add those dependencies; which I figured it would. 

When I just have Spotify in the  application section of the pre rule I do see some Spotify app-ID blocked but I'm still getting access to Spotify, which I'm assuming is because it's using SSL and that is allowed. 

Has anyone accomplished this before and could maybe give me a few pointers? 

 

Thank you

5 REPLIES 5

L6 Presenter

I think (but not 100% sure) the spotify AppID will just identify the Spotify application/streaming audio, not general website traffic to Spotify. For that web traffic you will probably need to build a URL filter object:

Objects -> Custom Objects -> URL Category

    [spotify]

        spotify.com/

        *.spotify.com/

        spotifycdn.com/

        *.spotifycdn.com/

        sptfy.com/

        *.sptfy.com/

        <...etc...>

Policies -> Security

    [block-user-from-spotify]

        Srczone=Trust

        Srcuser=badboy

        Dstzone=Untrust

        URL Category=[spotify]

        Action=Deny

 

Or put the URL Category in your URL Filtering group with an appropriate Site Access setting.  Effectiveness will depend on if you are fully decrypting SSL traffic or not. If you are pointing clients at a PA DNS proxy you could also setup a static entry with a dead IP.

L1 Bithead

Well the Custom URL somewhat did the trick. I can't get the actual player to come up so that helps somewhat. I guess I have to figure out all the other URLs Spotify could be using but not really sure how to accomplish that. 

 

@Adrian_Jensen  thank you 

 

L6 Presenter

Knowing all the domains takes a bit of guess work and luck, no real foolproof way to do it. But once you have blocked a few of the major domains, it usually is rendered inaccessible. You can search security sites for them:

    https://www.netify.ai/resources/applications/spotify

    https://community.spotify.com/t5/Desktop-Windows/Desktop-App-Domain-Needed-for-Whitelist/td-p/488254...

 

     https://www.google.com/search?q=spotify+domains|urls

 

Though take it with a grain of salt... some of the listed domains, like pscnd.co, are CDNs that serve many different websites.

L1 Bithead

Yeah this is a tough one due to the fact the actual spotify.com page uses https(443) so I can't really block that without breaking pretty much all internet access. I may just have to go with the player being broken as the "fix" for me issue. At least the user can't play music which is the whole purpose of going to spotify

L0 Member

To block Spotify effectively for a specific host on your network using App-ID, you're on the right track, but SSL traffic complicates things due to encryption. Since Spotify often uses SSL (HTTPS), even if the App-ID identifies some of the traffic, it may not block all of it. To address this, you could implement SSL decryption, allowing the firewall to inspect the encrypted traffic and apply the App-ID effectively. However, this could introduce privacy concerns or technical overhead. Another option could be to create a custom URL filtering policy that blocks Spotify’s domains (like spotify.com) in combination with the App-ID rule. Make sure to apply these rules specifically to the host or hosts in question by targeting their IP addresses. Additionally, consider reviewing your SSL decryption policy to ensure it’s working correctly with your App-ID and pre-rule configurations. Many organizations have found success by refining a combination of App-ID, URL filtering, and SSL decryption policies.

  • 3791 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!