- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
01-03-2019 12:53 AM
Hi
We have recently enabled file blocking on all our web access rule and it works a treat, but looking at the data filtering logs i can see the likes of Google Chrome being blocked.
I have played around creating a seperate rule, that is above the main web access rules, which has a seperate file blocking profile that doesnt and assigned this to the new rule that also has a custom URL category to the likes of tools.google and update.googleapis.com (i got this fromt he file blocking and URL logs) but still i cannot seem to update chrome.
Has anyone managed to enable file blocking but allow key/specific applications like google chrome, office 365 or goto meeting to be downloaded?
Thanks in advance
01-03-2019 07:45 AM
Even though you're seeing hits on the new rule, can you verify via the logs that this is the policy being utilized when you attempt to download the updates for Chrome? My initial expection would be that you aren't actually allowing the correct URLs for the update to work properly.
One important part of this all working, are you doing decryption?
01-04-2019 01:44 AM
I am getting the URL (well IP address) that is being blocked from the data filtering log and adding it to the custom URL category applied to the bypass policy but it still doesnt work.
I have even populated the custom URL category with *.getgo.com, launch.getgo.com as well as the IP from the blocked data filering log but no luck.
I even decided to take the IP from data filering log and add it to the destination address in the bypass policy but that doesnt work either, it still hits the original web access rule not the bypass.
I am only testing with goto meeting at the moment but i will need it working for chrome and Adobe creative cloud as well... i can see this being a long and difficult process
Yes we are using SSL decryption.
01-04-2019 12:46 PM
Hop into the CLI on the firewall when you're ready to try updating Chrome. Find out your IP as seen by the firewall, then show the sessions that got denied by doing:
> show session all filter source 192.0.2.1 state discard
When you find some in discard state, you can then show the details of that session to show you what rule it hit:
> show session id 123456789
That should help guide you to the traffic being denied/broken.
01-10-2019 06:09 AM
Thanks there were no disacards when i looked but in the end ive got the chrome update working, but then there was a knock on effect with normal web sites being blocked because of the url filtering profile i had applied.
My original aim was to have our normal web access policies to 3 different AD groups (so 2 rules per group) which would block exe, msi, pe etc but above these rules i would have one rule that has the 3 different AD groups in that would allow exe, msi and pe files to a select group of sites in a another url filtering profile to update the like of adobe reader/creative cloud, chrome, visual studio etc.
After doing some more tests and a call with PA support, it seems this is not possible, so now im back to square one. What i am now thinking is adding an extra rule for each web access group. At the moment our setup is something like the below.
Web access full AD group - zone outside - web access full allowed apps - application-default service - Web access full URL filtering & file blocking profile
Web access full AD group - zone outside - allowed apps decrypt to other ports - custom ports service - Web access full URL filtering & file blocking profile
What i propose to do is the following
Web access full AD group - zone outside - any application - any service - web access full URL filtering with approved category & file blocking profile allowing EXE & PE file types
Web access full AD group - zone outside - web access full allowed apps - application-default service - Web access full URL filtering & file blocking profile
Web access full AD group - zone outside - allowed apps decrypt to other ports - custom ports service - Web access full URL filtering & file blocking profile
but now i have just typed that out i dont think that will work as the first rule would allow all applications so the other rules wouldnt really come into place
I think i need a break from this and come back to it with a fresh head lol
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!