- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
GOOGLE MAPS WHILE BLOCKING OTHER GOOGLE SERVICES
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- GOOGLE MAPS WHILE BLOCKING OTHER GOOGLE SERVICES
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
GOOGLE MAPS WHILE BLOCKING OTHER GOOGLE SERVICES
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-13-2019 03:43 PM
Does anyone have any ideas on how to permit access to Google Maps but block access to all other Google services? I have tried using a rule matching the Google-Maps application however it requires google-base which allows many other Google services. I have also tried using custom URLs for maps.google.com and www.google.com/maps; however, Google maps seems to require access to resources at www.google.com/.
The customer is currently using a Squid proxy with detailed regex expressions to accomplish this. Below are some examples. They would like to remove the proxy and use the firewall only.
acl ALLOWED_URL url_regex -i ^https?://www.google.com/favicon.ico$
acl ALLOWED_URL url_regex -i ^https?://www.google.com/images/branding/product/ico
acl ALLOWED_URL url_regex -i ^https?://www\.google\.com/(maps|xjs)
acl ALLOWED_URL url_regex -i ^https?://www\.google\.com/s(earch)?\?tbm=map
acl ALLOWED_URL url_regex -i ^https?://www\.google\.com/gen_204\?oq=
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-13-2019 05:15 PM
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-14-2019 04:51 AM
I tried that. It doesn't seem to match on the full string. I think Custom URLs only support domains and subdomains, not the variables.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-14-2019 10:10 AM
You can't use variables for this.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-14-2019 10:12 AM
I figured that. What other options do I have?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-14-2019 10:16 AM
To do this easily and cleanly you don't really have any from the firewall directly. Google integrates all of their services pretty tightly and trying to limit all of Google but allowing Maps would require a very large amount of allowed URLs that will likely be constantly changing and breaking things.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-14-2019 01:29 PM
Using a squid proxy this is fairly straightforward. Hoping this might be accomplished using the PA firewall only.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-15-2019 11:50 AM
As they work with squid, did you add these urls to the custom url category?
www.google.com/favicon.ico www.google.com/images/branding/product/ico www.google.com/maps www.google.com/xjs www.google.com/search?tbm=map www.google.com/s?tbm=map www.google.com/gen_204?oq=
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-15-2019 04:47 PM
Yes, but it fails to match the following. I I think this is because PANOS only matches on domains, subdomains, and paths not Parameters.
www.google.com/search?tbm=map www.google.com/s?tbm=map www.google.com/gen_204?oq=
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-15-2019 04:56 PM
Are you doing SSL Decryption? Without decryption, the firewall doesn't even see the HTTP request for the maps page, it only sees the hostname of the server they're connecting to, in this case it's www.google.com as the host. Google uses a wildcard cert, so the response from the server is for *.google.com. Since neither is distinguishing the maps service, there would be no way to allow maps but deny others.
PAN-DB does categorize on full URIs, not just domains and hosts. A good example of this is any of the test sites:
https://pandb.paloaltonetworks.com/test-gambling
https://pandb.paloaltonetworks.com/test-phishing
Both of those pages are on the same host and domain, but different paths. PAN-DB will categorize them appropriately.
But if you're not decrypting the SSL (TLS) traffic, the only thing the firewall will see is a TLS Client Hello that has "pandb.paloaltonetworks.com" but not the full URI.
- Cortex Blocks system services in Cortex XDR Discussions
- Anybody try to block Invidious yet? in General Topics
- Even block of Geolocation inbound and outbound Google & other showing South Korea in General Topics
- Allow Only Google-Chrome Update and Block all other google related pages in General Topics
- Best practices - Schedule - allow and block Traffic in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
