Application 'github-base' and SSH

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Application 'github-base' and SSH

L2 Linker

Hi all,

 

Can someone please explain why the "github-base" application depends on SSH?

 

We are running into a number of problems with web sites that are hosted on Github.  Users want to get to these sites for legitimate reasons.  IT people have also wanted to download Github projects.  I don't have a problem with approving github-base, but we have no desire to approve SSH. 

 

Any help or advice is appreciated. 

 

TIA,

- Steve

 

1 accepted solution

Accepted Solutions

Hi,

 

You don't need to allow SSH just to browse the website, but you will probably get a warning every time you commit some changes on the firewall (which you can ignore in your case). Even if you fork the repository, it will work as long as you use git with HTTPS and not SSH. The website seems to be hosted by Github, hence the github-base app for that traffic.

 

Regards,

 

Benjamin

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

So I could be wrong on this, however scp also uses port 22 and is identified by the PAN as SSH traffic. Not sure if github uses scp, however if it doesn then this could be the reason why. You could further lock down the policy for github to certain sites only?

 

Cheers!

unless Github provides a list of their public IPs and you limit your rule to them, then you will have to allow SSH globally unfortunatly.

 

Doesn't Github have a SSL/HTTP fallback method ?

Hi,

 

This webpage lists the current IP address range used, so you could restrict SSH to this range:

 

https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/

 

Regards,

 

Benjamin

 

Hi all,

 

Thanks for the replies.  This is one of the websites that our PAs are blocking:

 

http://www.whatsmyua.com/

 

Note that this page isn't on GitHub itself.  The source code for the project is on GitHub.  Looking at the page's source, I see two links to GitHub - the "Source" link at the top and the "send and issue or pull request" link at the bottom.  Both of these links use the HTML tag

<i class="fa fa-github"></i>

 

My HTML is pretty rusty, because I thought that <i> was for italics.

 

So I'm back to the original question, why do we need ssh enabled to use this site?  For that matter, should we need the github-base app-ID enabled at all?

 

Thanks,

- Steve

 

Hi,

 

You don't need to allow SSH just to browse the website, but you will probably get a warning every time you commit some changes on the firewall (which you can ignore in your case). Even if you fork the repository, it will work as long as you use git with HTTPS and not SSH. The website seems to be hosted by Github, hence the github-base app for that traffic.

 

Regards,

 

Benjamin

Hi Benjamin,

 

Thanks for the info; I wanted to wait until our primary firewall admin got back from vacation to discuss it with him.  We agree that we could enable github-base without SSH and put up with the errors.  However I disagree that the traffic application should be "github-base" in the first place since this is basically a straight HTTP site.  We are going to open a ticket with PA tech support about that.

 

Thanks,

- Steve

https://live.paloaltonetworks.com/t5/MineMeld-Discussions/New-GitHub-Miner/td-p/229904

 

Haven't tried it yet but looks like a reasonable solution for restricting SSH to GitHub destinations.

  • 1 accepted solution
  • 11908 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!