Blocking certain Facebook features while allow others with PAN version 8.1.17

Reply
L2 Linker

Blocking certain Facebook features while allow others with PAN version 8.1.17

I am trying to block certain Facebook features while allowing others.  For example:

 

Facebook – block - chat, file-share, post, video, voice

 

However, after implementing it on the PAN, I can still do this with Facebook:  I could post, like and upload pictures. Chat doesn’t work at all, though I can see the page.

 

Is this normal?  Is the application "aware" in PAN working as advertised or no?

L7 Applicator

Are you using ssl decryption on all your outbound sessions ?

These applications will only work properly if you decrypt everything

 

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
L2 Linker

I decrypt everything listed in "social-networking" URL category so I assume FaceBook is one of them. Can't decrypt "everything" because that will choke the PAN firewalls

Cyber Elite

@dtran,

Are your firewalls that maxed already? Generally speaking you don't see a massive performance hit simply decrypting untrust traffic on current platforms. Unless you're already pushing the limits of your platform, enabling decryption on your untrust traffic shouldn't push your resources on your firewall that hard. 

L2 Linker

@BPry

 

1- I really don't want to decrypt "everything" because it might cause performance issues on the firewall, even on the 5250 platform.  This firewall is does everything for both inbound and outbound traffics, including globalprotect.

 

2- Why do I need to decrypt "everthing" outbound, just for Facebook.  I thought I only need it for "social-networking" URL category.  If I decrypt "everything", it might choke the firewall.

 

On a side note, have you ever done what I described in my original thread before?  Does it actually "work"?

Cyber Elite


@dtran wrote:

@BPry

 

1- I really don't want to decrypt "everything" because it might cause performance issues on the firewall, even on the 5250 platform.  This firewall is does everything for both inbound and outbound traffics, including globalprotect.

 

2- Why do I need to decrypt "everthing" outbound, just for Facebook.  I thought I only need it for "social-networking" URL category.  If I decrypt "everything", it might choke the firewall.

 

On a side note, have you ever done what I described in my original thread before?  Does it actually "work"?


1 - Anything within the 5200 series was designed from the ground up to have decryption cause limited impact. These boxes are designed to decrypt the traffic, and enabling decryption has limited overhead on these platforms. Unless you're already running into the platform limits of the 5250 and your firewalls weren't sized properly, you aren't going to run into anything by enabling decryption for untrust destined traffic. If you want to be extra cautious, enable it in limited groups so you can see the actual impact until everyone is included. 

 

2 - Again, unless you are already reaching platform limits you aren't going to "choke" the firewall by decrypting untrust traffic. The 5200 series is designed to decrypt traffic with minimal impact to system resources, so unless you're already struggling you aren't going to choke it by enabling decryption.

 

Yes, I have, and when you decrypt everything it works a whole lot better than what you are describing. You shouldn't have any issues blocking posting or uploading images and the like. You won't be able to block liking posts or commenting; that is all going to get categorized as Facebook-base which you aren't blocking. If you want to go that far, you need to simply block access to Facebook. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!