Blocking certain Facebook features while allow others with PAN version 8.1.17

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Blocking certain Facebook features while allow others with PAN version 8.1.17

L4 Transporter

I am trying to block certain Facebook features while allowing others.  For example:

 

Facebook – block - chat, file-share, post, video, voice

 

However, after implementing it on the PAN, I can still do this with Facebook:  I could post, like and upload pictures. Chat doesn’t work at all, though I can see the page.

 

Is this normal?  Is the application "aware" in PAN working as advertised or no?

11 REPLIES 11

Cyber Elite
Cyber Elite

Are you using ssl decryption on all your outbound sessions ?

These applications will only work properly if you decrypt everything

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I decrypt everything listed in "social-networking" URL category so I assume FaceBook is one of them. Can't decrypt "everything" because that will choke the PAN firewalls

@dtran,

Are your firewalls that maxed already? Generally speaking you don't see a massive performance hit simply decrypting untrust traffic on current platforms. Unless you're already pushing the limits of your platform, enabling decryption on your untrust traffic shouldn't push your resources on your firewall that hard. 

L4 Transporter

@BPry

 

1- I really don't want to decrypt "everything" because it might cause performance issues on the firewall, even on the 5250 platform.  This firewall is does everything for both inbound and outbound traffics, including globalprotect.

 

2- Why do I need to decrypt "everthing" outbound, just for Facebook.  I thought I only need it for "social-networking" URL category.  If I decrypt "everything", it might choke the firewall.

 

On a side note, have you ever done what I described in my original thread before?  Does it actually "work"?


@dtran wrote:

@BPry

 

1- I really don't want to decrypt "everything" because it might cause performance issues on the firewall, even on the 5250 platform.  This firewall is does everything for both inbound and outbound traffics, including globalprotect.

 

2- Why do I need to decrypt "everthing" outbound, just for Facebook.  I thought I only need it for "social-networking" URL category.  If I decrypt "everything", it might choke the firewall.

 

On a side note, have you ever done what I described in my original thread before?  Does it actually "work"?


1 - Anything within the 5200 series was designed from the ground up to have decryption cause limited impact. These boxes are designed to decrypt the traffic, and enabling decryption has limited overhead on these platforms. Unless you're already running into the platform limits of the 5250 and your firewalls weren't sized properly, you aren't going to run into anything by enabling decryption for untrust destined traffic. If you want to be extra cautious, enable it in limited groups so you can see the actual impact until everyone is included. 

 

2 - Again, unless you are already reaching platform limits you aren't going to "choke" the firewall by decrypting untrust traffic. The 5200 series is designed to decrypt traffic with minimal impact to system resources, so unless you're already struggling you aren't going to choke it by enabling decryption.

 

Yes, I have, and when you decrypt everything it works a whole lot better than what you are describing. You shouldn't have any issues blocking posting or uploading images and the like. You won't be able to block liking posts or commenting; that is all going to get categorized as Facebook-base which you aren't blocking. If you want to go that far, you need to simply block access to Facebook. 

L4 Transporter

@BPry:  I finally get in touch with a senior TAC engineer from PAN and he agrees that my setup is correct.  I do NOT have to decrypt everything.  After I showed him, he agreed that the some of FB apps do NOT work as designed.  I am able to show him that when using Firefox, users can NOT post on FB but users CAN post on FB using Chrome and Microsoft Edge.   Finally I got a hold of a PAN Engineer who knows what he is doing, after many weeks of frustration.

 

You're wrong about not being able to block "like" and comments in FB.  Both "like" and "comment" are part of facebook-posting app.  The facebook-posting is not working as it should.  The TAC engineer will take it up with their content team.

@dtran,

Interesting ... So if I'm to understand this correctly, I'm wrong because the signature works exactly as I told you they did and everything I told you is correct as things stand today ... okay. 

L4 Transporter

@BPry

This is what you said in previous post:  "You won't be able to block liking posts or commenting; that is all going to get categorized as Facebook-base which you aren't blocking."

 

What I am trying to say is that the PAN is NOT blocking "like" and "comment" as it should have.  It is NOT working.  It is being investigated by PAN TAC support.  The FB apps "facebook-posting" should have blocked the "like" and "comment" but it does not.  I do not allow "facebook-posting" in my rule base.

 

 

I heard back from PAN support after the case was opened six weeks ago.  PAN support that it is a code issue in Application and Threat update.  They will update the application and threat update sometime in the first week of March.  Will see if they actually fix the issue.

Just a quick update on this.  PaloAlto has released an update of Application and Threat update on 03/16/2021 but sadly it is still broken in PAN OS 8.1.17. 

 

TAC is still investigating more than three months after the ticket was opened 😞

Just want to provide an update to this issue.

 

It is now May 6th, 2021 and the issue is still NOT fixed by PAN.

  • 5101 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!