04-30-2012 11:21 AM
Greetings,
One of my users forwarded me a phishing email that points to Google Docs to collect information (username/password). The URL looks like: "https://docs.google.com/a/b/c/viewform?formkey=asdfasdfasdfasdf" (not the real url). Is there a way to block one google doc in PANOS?
Thanks,
Dave M
04-30-2012 11:50 AM
You should be able to create your custom threat signature to detect this and block (and log) when this particular link is being clicked on.
The tricky part might be how to create the signature so it will limit number of false positives but at the same time not miss any of the many domainnames which google can use for the access. Meaning is it enough if you do something like:
base application: google-docs
host: *.google.*
AND
uri: /a/b/c/viewform?formkey=asdfasdfasdfasdf
I think you might need ssl decryption aswell since this is https.
05-07-2012 05:26 PM
Im having the same problem in a big way. I thought URL Filtering was suppose to be able to block websites through SSL even without decryption. I understand the custom block page not being allowed but I thought enough of the header was readable to throw up at least an ugly ACCESS Denied page.
Google Docs is sending us fresh SSL based phishing schemes like almost every day. Not good !!
05-07-2012 11:41 PM
You must have ssl decryption running in order to be able to see which URL is being requested within the SSL/TLS session.
But I dont know if the url-filter in PA also includes ip addresses since you must specify url-categories when you setup the ssl decryption rules.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
