07-13-2011 12:59 PM
07-14-2011 01:06 AM
Hi Paul,
we are not able to detect the User-agent string. What you can do is make a definition to search for specific user-agents. See this post:
https://live.paloaltonetworks.com/docs/DOC-1503
Marcel
07-20-2011 09:23 AM
Thanks. Would it be possible to add this as a feature request? Should be able to identify, log, report and block based on user-agent string for relevant applications.
07-21-2011 02:11 AM
For those who care, http://www.useragentstring.com/pages/All/ contains a decent list of UA strings. Notice that there are a lot of customised versions of IE out there. It is also possible to create custom app-id's to recognise different browsers, although I doubt this would be a good strategy (you care more about the content than the accessor).
09-16-2011 12:49 AM
Hi All,
I have created a custom application to detect Firefox as an app, this seems to be working well as it is detecting it in the traffic logs.
We have a requirement to block Firefox as it enables the users to bypass the proxy setting set in the GPO in AD.
The problem:
I have a test rule to block firefox at the top of my policy set but it seems to only be active on news-media catagorized web sites like bbe,cnn etc
When browsing to Google or anyother site it hits my general access rule at the bottom of my policy list.
Any ideas? Have i created the app incorrectly ?
see attached appid
Many Thanks
Marc
09-16-2011 01:05 AM
Hi Marc,
Looks OK.
Did you try looking at a PCAP and seeing if the User Agent is indeed there in the format entered in the custom app signature? Or there is an extension to Firefox called Live Headers that should give this info.
Thanks
James
09-16-2011 01:39 AM
Hi James,
Live headers is what I am using to get the detail from, ill need to investigate this a little further as it is only news-media catagories being blocked and yet I have no URL filtering enabled for those rule to block url's
Cheers
Marc
09-16-2011 02:49 AM
It would also be possible to define this as a custom threat id, which may be a better model, as you consider the software a threat. It would log more clearly. To my mind the App-ID is a protocol recognition engine, even though it does support some well known web sites (to which site-specific protocols are inextricably linked).
FF users can obscure their User-Agent string, so it would be worth watching for hits on the addons.mozilla.org site.
09-16-2011 02:52 AM
Thanks for the help,
Ill give it a go as I already see that the ACC is reporting firefox which is a bit missleading.
Regards
Marc
07-13-2023 10:34 AM
How did you input this into the firewall or panorama?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
