How do we config a basic setup for guest wifi app blocking

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How do we config a basic setup for guest wifi app blocking

L0 Member

We are relatively new to Palo Alto detailed configs, although we have used url filtering, av filtering, etc for some time.  We want to start doing a better job blocking at the application level on our guest wifi, especially in the areas of peer-to-peer, etc.  Are there some basic guidelines or configuration guides on how to get started.  Baseline I suppose.

1 accepted solution

Accepted Solutions

it@watermark.org

The question... what is the best way to provide application filtering to this traffic?

Setup a rule that blocks each application individually?  Set up a rule with several applications in it as blocked?  Is there a better way to filter (block all peer-to-peer for example) without having to setup each and every application individually?

I'd go an application group.

From the "Objects" tab, select "Application groups" and create one - call it something obvious like "Guest_Wireless_Allowed" or something, then add all the apps you want the guests to be able to use.

Apply it to your zones (source wireless, destination internet (or inside)) with an ALLOW (don't forget the "application default" setting for your "services' section), then apply another rule with a deny everything else.

It's easier to specify allowed applications than to allow everything and deny what you don't want - with new applications appearing all the time, allowing only those ones you know you want to go out is way better - that way, any new sneaky application is denied and people can ask for it to be let through - much easier to manage/know what is happening that way!

Cheers.

View solution in original post

7 REPLIES 7

L4 Transporter

it@watermark.org

We are relatively new to Palo Alto detailed configs, although we have used url filtering, av filtering, etc for some time.  We want to start doing a better job blocking at the application level on our guest wifi, especially in the areas of peer-to-peer, etc.  Are there some basic guidelines or configuration guides on how to get started.  Baseline I suppose.

How is your guest WiFi configured?

I have mine on a seperate DMz off the PA - and it's a simple matter to do a WiFi zone to Internet zone restriction in both applications (web-browsing, SSL and DNS only) and rate limiting (QoS limited to 2 megabits per second absolute outbound).

If your guest WiFi is intermixed with your normal network, how do you authenticate,allow acces to it? Does the "guest" segment have a specific IP range associated with it, or is it just jumbled with your normal network?

Guest Wifi is done via Aruba networks, so all traffic is run through the controller.  In the past we have used the stateful firewall which we can configure separately for each SSID, which works fine... but since we are separating our guest wifi into a separate IP range, we use the Palo Alto to configure different filtering rules, antivirus policies, etc for the traffic running on that IP range (i.e. the guest wifi) traffic.

This works very well...

What I was specifically ask about is this.  Right now, we are using the aruba firewall to do port blocking on the guest wifi to limit certain applications.  This is obviously difficult and inefficient.  What we would LIKE to do is the following.

Take all traffic traveling over the guest wifi network and apply application filtering (just like we already do for url filtering, antivirus, etc)

The question... what is the best way to provide application filtering to this traffic?

Setup a rule that blocks each application individually?  Set up a rule with several applications in it as blocked?  Is there a better way to filter (block all peer-to-peer for example) without having to setup each and every application individually?

Yes, use filters based on the application sub-category. That will also take care of new apps that are defined in the future without having to update your rules. Go to Objects/Application Filters, and create filters for the types of apps you want to restrict (for example, file-sharing or instant-messaging), and then use those filters in your rules instead of individual apps. If there are individual apps that you want to allow in a category that you want to block, write a rule for the individual allowed apps that comes before the rule for the blocked categories.

it@watermark.org

The question... what is the best way to provide application filtering to this traffic?

Setup a rule that blocks each application individually?  Set up a rule with several applications in it as blocked?  Is there a better way to filter (block all peer-to-peer for example) without having to setup each and every application individually?

I'd go an application group.

From the "Objects" tab, select "Application groups" and create one - call it something obvious like "Guest_Wireless_Allowed" or something, then add all the apps you want the guests to be able to use.

Apply it to your zones (source wireless, destination internet (or inside)) with an ALLOW (don't forget the "application default" setting for your "services' section), then apply another rule with a deny everything else.

It's easier to specify allowed applications than to allow everything and deny what you don't want - with new applications appearing all the time, allowing only those ones you know you want to go out is way better - that way, any new sneaky application is denied and people can ask for it to be let through - much easier to manage/know what is happening that way!

Cheers.

Off topic: how is your connection from your controller to your PAN setup, is it in vwire or tap mode and is all wireless traffic being inspected?

This answered my question on how to block a specific sub-category, thanks! Smiley Happy

L0 Member


Not like to change the topic, however having a similar issue here.
##############################################################
How do I let the ingress traffic from Duo Security App to hit my PA guest wifi , which is sitting on a dedicated Zone but within the same VR where the main inside zone sits ? What type of rule do i need to apply ? I fairly new with PA and do not want to break any implicit rules on PA.

The issue is that we get the push notification from DUO on our mobile phones which are connected to our Guest wifi , however when we open the app it does spin and do not pop up with deny and approve buttons.

I did check it on our business wi fi which is not sitting on PA and was sat up on Ruckus Controller and core switch and it works just fine.

Something tells the PA to block certain traffic i am not sure what.

Any help appreciated.

  • 1 accepted solution
  • 6599 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!