block gmail personal ID and allow gmail official ID in palo alto

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

block gmail personal ID and allow gmail official ID in palo alto

Hi Friends,

please suggest,block gmail personal ID and allow gmail official ID in palo alto.

Regards

Satish

Highlighted
L5 Sessionator

Hi Satish,

I don't think that is possible with current design. Unless you can verify if the URL you navigate to for both personal and official are unique. If that is the case the case then you can configure ssl decryption on device and allow or deny specific URLs. Which I think is highly unlikely. Hope this helps. Thank you.

Highlighted
L4 Transporter

Hi,

Google is suggesting as below

Block access to consumer accounts - Google Apps Help

PAN device can decrypt ssl traffic, though it can't insert HTTP header X-GoogApps-Allowed-Domains.

This means PAN device can't handle such a case.

If you have proxy server, you can do it on the proxy.

Highlighted
L4 Transporter

Hello Friends,

 

Please try this one :- 

 

Create a Custom Data Pattern

 

Objects - custom-objects - data-patternsUntitled.png

 

match regex pattern @gmail\.com

 

Create a Data Filtering profile

 

Objects - security-profiles - data-filtering

 

Match the previously created custom data pattern in the Data filtering profile and application as gmail-base.

Untitled.png

 

Create a rule allowing all apps with the data security profile attached to it.

 

Policies – security – rulebase

Untitled.png

 

 

Data Filtering log: note the first log as it matches the data pattern

Untitled.png

 

Thnaks 

Highlighted
L5 Sessionator

Have a look at PA Aperture:

https://www.paloaltonetworks.com/products/aperture.html

 

This might be your solution. But so far there isn't much info about it yet.

Highlighted
L1 Bithead

Step1: Add HTTP Header Insertion under URL Filtering Profile

Screenshot 2020-07-23 at 6.16.45 PM.png

Step2: Create Decryption Profile and enable "Strip ALPN" Under Client Extension

Screenshot 2020-07-23 at 6.18.03 PM.png

Step3: Add Decryption Profile in your Decryption Policy

Screenshot 2020-07-23 at 6.20.48 PM.png

Step4: Make Sure the URL Filtering is added in your Security Policy

Result: Personal Gmail is blocked

Screenshot 2020-07-23 at 6.23.20 PM.png

FAIZAN SHEIKH
FOLLOW MY FACEBOOK GROUP - Palo Alto Networks Q/A
Highlighted
L1 Bithead

Step1: Add HTTP Header Insertion under URL Filtering Profile

Screenshot 2020-07-23 at 6.16.45 PM.png

Step2: Create Decryption Profile and enable "Strip ALPN" Under Client Extension

 

Screenshot 2020-07-23 at 6.18.03 PM.png

Step3: Add Decryption Profile in your Decryption Policy

 

Screenshot 2020-07-23 at 6.20.48 PM.png

 

Step4: Make Sure the URL Filtering profile is added in your Security Policy

 

Result: Personal Gmail is blocked

Screenshot 2020-07-23 at 6.23.20 PM.png

Cheers,

Faizan Sheikh 

FAIZAN SHEIKH
FOLLOW MY FACEBOOK GROUP - Palo Alto Networks Q/A
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!