Recently I deploy outbound policies to filter inside traffic to Internet, but I noticed that some application bypassing app-ID filter. Just to clarify my setup I allow some application to go out (dns, web-browsing, ssl...and couple more..) service default. In that pool isn't youtube and teamviewer, but somehow they went out bypassing explicit application filter. When I filter session browser by DNS addresses of youtube servers, I found that all streaming was flowing like SSL traffic which is allowed by policy.
For TeamViewer I can't catch how he went out, in explicit deny policy I filter logs and see that teamviewer was denied until 10:00AM, but after that time I'm using him without problem...?
Solved! Go to Solution.
another option is to create a custom app-id that can identify the ssl certs (common name
There are many options such as SSL-Req-Certificate , ssl-req-client-hello, ssl-rsp-cert-subjectpublickey, ssl-rsp-certicate, ssl-rsp-server-hello etc..
This will be more of a brute force approach blocking anything that matches the SSL SNI (Server name indication)
For example to block Adap.tv (advertisement)
user a custom pattern-match with context ssl-req-client-hello with a regex : .\.adap.\tv
this will match the client hello for any character going to .adap.tv for sites that use wildcards may be a bit more difficult but then you can block the entire
Many of the built in apps also identify ssl applications such as facebook-video even though its not decrypted. :smileywink:
Sure, this can work for some, but with websites certain websites, like Youtube, this would not.
Youtube is classified as google.com without SSL decryption and listed under the search-engines because of the certificate CN being listed as *.google.com
With no SSL decryption, we can't differentiate between the two (Youtube and Google).
I understand this is not always the case, but it is something to consider. Instead of creating custom applications, it may be easier to just go ahead and perform SSL decryption.
similar to the youtube thread. ..
if you create an app-id it'll take precedence over the built in apps
similar to if you create custom apps that are categorized as web-browsing they'll match the custom one
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!