10-29-2012 03:39 AM
Our users are getting on a regualar base phishing mails in which they are asked to fill in their username and password by clicking on a link.
We don't have the URL categorizing license but are using URL filtering via custom URL filtering and that works fine (most of the time). We put the links of the phishing mails in the custom URL category with block as action.
As already told, this works fine except for the latest addition : a phishing site on google docs.
I copied the URL from the mail as always and added it to the list but it won't block for an unknown reason.
This is the URL we want to block : "docs.google.com/spreadsheet/viewform?formkey=dFFDMXVDYlUzZ05iTkpmc0o3M1Ewd1E6MQ" (it is a https: URL).
Does it matter that this is a https URL instead of a http URL ? Is is possible the URL matching isn't done because PA recognises this as an app ? The traffic log shows it as an ssl application.
I even tried with formkey=* as a test but even that didn't work.
Anyone a suggestion on what i'm doing wrong or on how to block URLs like this ?
Wim Holemans
11-06-2012 03:40 PM
As this is SSL, we need to decrypt the traffic so that we can look at the url inside. When you have decryption in place, you should be able to block the url you referred to.
As a test, I tried to access the docs and it shows up as "0.drive.google.com/"
11-23-2012 03:41 PM
Hi,
What version are you running on PAN?
I had the same issue. When I updated my PANs from 4.1.6 to 4.1.9 version I was able to block "docs.google.com" through an URL filtering.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
