Blocking Web Advertisements with an External Dynamic List

KevinTucker · ‎09-26-2016

Hello everyone,

I am attempting to block web advertisements on our PA-3020. We have two of these devices which utilize Panorama. We have blocked anything categorized as "web-advertisement" on the firewall, which is great, but a ton of ads are still getting through. What we would like to do is as follows:

Utilize an external dynamic list (a text file) to block domains
When a blocked site is visited, the page will resolve to an "ad blocked" page rather than just not resolving the page at all.

Does anyone have any suggestions we can use? For our typical malware blacklisting, the sites just do not resolve and show a "page cannot be displayed" message. This is logged, which is great, but for the web advertisement blocking, our CIO wants it to show an "Ad Blocked" message. This message works for anything classified as "web-advertisement."

Any suggestions would be greatly appreciated.

Thanks,

Kevin

birkhojk · ‎09-30-2016

One great way I could think of doing this is to go under Objects, External Dynamic Lists... and create a new Dynamic Domain Lists via Add and selecting Type = Domain List. No doubt, you put the URL and the frequency it updates.

Next to enable it...

Security Profiles, Anti-Spyware, and open the DNS Signatures tab.

In there, you can apply an External Dynamic LIst Domains... I personally recommend "singhole"

**********

Now it is just a matter of going to your policy that lets your Internet traffic go out and changing the profile to that Anti Spyware profile. Personally, I would recommend doing a Security Profile Group, so you can have consistency.throughout all of your Policies that do filtering via some preconfigured templates that you make.

+++++++++++++++++

Another option is to create a URL Block List... Same as aboe only you apply it to the URL Filtering under Security Profile. It basically shows up with a little "+" next to it. Naturally, you would need to change it in your active URL policy to an action of "Block"

**************************

Another way is to create an IP block list... Again it is in the External Dynamic Lists.

You would generally apply these via a security policy before your Internet policy. Might make a policy that says something like your normal Inside TO Outside (Destination Address Dynamic IP List YOURBLOCKLIST) ... DENY

Then it ends up in the firewall logs with that rule showing it dropped if the IP address is in the list.

No doubt, you could also use hte "Destination Negate" option in your Internet Out rule and simply only ALLOW Internet traffic that doesn't match an IP on a Dynamic IP List.

Hope that helps... there is a TON of flexibility with the Palo Alto to block ads.

______________________________________________

It depends on which list-type you use what your block page will look like.

For example, blocking IPs more or less simply show up in the log. If you do this, you want to reset-client or reset-both... otherwise the browser will just hang a while before timing out its TCP session, but you don't really get a block message.

If you are doing a Domain Block, that will give you your Antivirus / Anti-Spyware Block Page...

If you are doing an Extra Dynamic List on the URL Filtering, which is what you most likely want to do then it would use your normal URL Filtering block page.

View solution in original post

BPry · ‎09-26-2016

To the best of my knowledge, if you are using an EBL then you will simply 'deny' the connections from being made. I don't believe that PA has a 'denied' responce page in the context of denying hosts from the network, you can only get that with application response pages.

It might be a better option to look into rolling out ad-blocking via group policy. There are plenty of guides that you can follow and it doesn't take long at all, you also get the added benefit of disabling it when the user wants to access a site that would have otherwise denied access if it couldn't reach it's ad servers.

KevinTucker · ‎09-26-2016

Thanks for the reply, BPry. I had it configured previously to just block the sites, however, without showing the "ad blocked" message, our CIO wasn't pleased with that. The GPO is managed by our large company, so it would be worth reaching out to them I believe. I appreciate your input very much.

Brandon_Wertz · ‎09-26-2016

It's a rather blunt method, but depending on how many domains you're populating in the EBL can you just not create your own local DNS poisoning?

Stand up a local internal page with the required block page and for ever domain just put a DNS entry on your network to point hosts to that internal page?

birkhojk · ‎09-30-2016

One great way I could think of doing this is to go under Objects, External Dynamic Lists... and create a new Dynamic Domain Lists via Add and selecting Type = Domain List. No doubt, you put the URL and the frequency it updates.

Next to enable it...

Security Profiles, Anti-Spyware, and open the DNS Signatures tab.

In there, you can apply an External Dynamic LIst Domains... I personally recommend "singhole"

**********

Now it is just a matter of going to your policy that lets your Internet traffic go out and changing the profile to that Anti Spyware profile. Personally, I would recommend doing a Security Profile Group, so you can have consistency.throughout all of your Policies that do filtering via some preconfigured templates that you make.

+++++++++++++++++

Another option is to create a URL Block List... Same as aboe only you apply it to the URL Filtering under Security Profile. It basically shows up with a little "+" next to it. Naturally, you would need to change it in your active URL policy to an action of "Block"

**************************

Another way is to create an IP block list... Again it is in the External Dynamic Lists.

You would generally apply these via a security policy before your Internet policy. Might make a policy that says something like your normal Inside TO Outside (Destination Address Dynamic IP List YOURBLOCKLIST) ... DENY

Then it ends up in the firewall logs with that rule showing it dropped if the IP address is in the list.

No doubt, you could also use hte "Destination Negate" option in your Internet Out rule and simply only ALLOW Internet traffic that doesn't match an IP on a Dynamic IP List.

Hope that helps... there is a TON of flexibility with the Palo Alto to block ads.

______________________________________________

It depends on which list-type you use what your block page will look like.

For example, blocking IPs more or less simply show up in the log. If you do this, you want to reset-client or reset-both... otherwise the browser will just hang a while before timing out its TCP session, but you don't really get a block message.

If you are doing a Domain Block, that will give you your Antivirus / Anti-Spyware Block Page...

If you are doing an Extra Dynamic List on the URL Filtering, which is what you most likely want to do then it would use your normal URL Filtering block page.

Blocking Web Advertisements with an External Dynamic List

Blocking Web Advertisements with an External Dynamic List

Show your appreciation!