Block websites when using VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Block websites when using VPN

L1 Bithead

Some users started to use SoftEther VPN client on our company which allows them to bypass URL Filtering policy. How can we allow them to use VPN client but still allow or block access to certain websites. We already implemented SSL decryption rule but it is not working when they are using SoftEther VPN. 

8 REPLIES 8

Community Team Member

Hi @nredaj ,

 

Is decryption working ?

How is the traffic identified by the firewall ?

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @kiwi ,

 

Decyption is working. Based on monitoring logs, when using VPN client, all traffic are identied as:

 

Application: SSL

IP Protocol: TCP

Port: 443

Category: computer-and-internet-info

Community Team Member

Hi @nredaj ,

 

How is decryption working ?

If the application is identified as SSL then decryption isn't working.

 

Note that on some scenarios decryption is impossible ... for example when unsupported protocols or ciphers are used or with certificate pinning for example.

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

traffic.JPG

 

 

Hi @kiwi ,

 

It says decrypted. The problem is that users need to use SoftEther VPN to access certain website. But using this VPN client can bypass all our security rule in place. May be we can find another way to access the website without using VPN. 

 

Thank you very much @kiwi 

Community Team Member

Hi @nredaj ,

 

You might be hitting this which could explain why a decrypted session is still showing up as SSL :

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cle8CAC

 

Have you checked with support already ?

 

Cheers !

-Kiwi,

 

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L7 Applicator

Hmm, I think the ssl decryption here will not be as helpful as usual.   you will only decrypt the outer wrapper (the actual tunnel) any ssl packets running through the tunnel will not be decrypted as negotiation for these will have taken place end to end via the tunnel, not the palo.

 

 

@nredaj,

I would agree with @Mick_Ball in this case. Decrypting this traffic isn't going to give you much information and won't allow you to actually perform URL FIltering; this is actually the exact reason VPNs are recommended on untrusted networks, the network operator can't decrypt enough of the traffic to actually see anything useful. 

I understand that this could be out of Palo Alto's FW scope. 

 

This is a bit frustrating. Configuring static route in client side (windows OS) could have solve this issue but the website they're accessing is going thru CDN which cause IP address to change from time to time. Probable solution may be work out with SoftEther VPN configuration.

 

Thank you guys for all your inputs.

  • 7249 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!