block gmail personal ID and allow gmail official ID in palo alto

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

block gmail personal ID and allow gmail official ID in palo alto

L4 Transporter

Hi Friends,

please suggest,block gmail personal ID and allow gmail official ID in palo alto.

Regards

Satish

8 REPLIES 8

L5 Sessionator

Hi Satish,

I don't think that is possible with current design. Unless you can verify if the URL you navigate to for both personal and official are unique. If that is the case the case then you can configure ssl decryption on device and allow or deny specific URLs. Which I think is highly unlikely. Hope this helps. Thank you.

L5 Sessionator

Hi,

Google is suggesting as below

Block access to consumer accounts - Google Apps Help

PAN device can decrypt ssl traffic, though it can't insert HTTP header X-GoogApps-Allowed-Domains.

This means PAN device can't handle such a case.

If you have proxy server, you can do it on the proxy.

L4 Transporter

Hello Friends,

 

Please try this one :- 

 

Create a Custom Data Pattern

 

Objects - custom-objects - data-patternsUntitled.png

 

match regex pattern @gmail\.com

 

Create a Data Filtering profile

 

Objects - security-profiles - data-filtering

 

Match the previously created custom data pattern in the Data filtering profile and application as gmail-base.

Untitled.png

 

Create a rule allowing all apps with the data security profile attached to it.

 

Policies – security – rulebase

Untitled.png

 

 

Data Filtering log: note the first log as it matches the data pattern

Untitled.png

 

Thnaks 

Have a look at PA Aperture:

https://www.paloaltonetworks.com/products/aperture.html

 

This might be your solution. But so far there isn't much info about it yet.

L1 Bithead

Step1: Add HTTP Header Insertion under URL Filtering Profile

Screenshot 2020-07-23 at 6.16.45 PM.png

Step2: Create Decryption Profile and enable "Strip ALPN" Under Client Extension

Screenshot 2020-07-23 at 6.18.03 PM.png

Step3: Add Decryption Profile in your Decryption Policy

Screenshot 2020-07-23 at 6.20.48 PM.png

Step4: Make Sure the URL Filtering is added in your Security Policy

Result: Personal Gmail is blocked

Screenshot 2020-07-23 at 6.23.20 PM.png

FAIZAN SHEIKH
FOLLOW MY FACEBOOK GROUP - Palo Alto Networks Q/A

L1 Bithead

Step1: Add HTTP Header Insertion under URL Filtering Profile

Screenshot 2020-07-23 at 6.16.45 PM.png

Step2: Create Decryption Profile and enable "Strip ALPN" Under Client Extension

 

Screenshot 2020-07-23 at 6.18.03 PM.png

Step3: Add Decryption Profile in your Decryption Policy

 

Screenshot 2020-07-23 at 6.20.48 PM.png

 

Step4: Make Sure the URL Filtering profile is added in your Security Policy

 

Result: Personal Gmail is blocked

Screenshot 2020-07-23 at 6.23.20 PM.png

Cheers,

Faizan Sheikh 

FAIZAN SHEIKH
FOLLOW MY FACEBOOK GROUP - Palo Alto Networks Q/A

L1 Bithead

Thank you so much for the "how to" it really works so well. However I having a particular situation, if a add a a second header, only the first one created works, any suggest?

just simple.

follow google.com example 

input 111.com, 222.com in value

Example: X-GoogApps-Allowed-Domains: mydomain1.com, mydomain2.com

mydomain1.com, mydomain2.com

  • 16025 Views
  • 8 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!