How to block Internet Explorer

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to block Internet Explorer

L4 Transporter

I am trying to block Internet Explorer traffic going out to the internet from my internal users. I have decryption in place and followed this article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEdCAK

I am seeing some websites being blocked but some of them are not despite decryption. Has anyone tried blocking IE?

Please let me know.

TIA

12 REPLIES 12

Cyber Elite
Cyber Elite

@SThatipelly,

I find it slightly odd that the article is essentially just looking for Trident/ and isn't specifying the actual User-Agent string by itself. You could do something like below to limit this to just the User-Agent string, which is where this should be in the header anyways.

 

User-Agent:.+Trident\/

 

 

Also, keep in mind that the actual User-Agent string is easy to modify, so this is by far not going to be a fail-proof method of blocking IE. 

@BPry Thank you so much for your response. 

I followed your suggestion and am blocking some sites. but, I can google search any webpage with no issue. I checked the user-agent string for the searches and they match my application but is still being allowed. I made sure decryption is turned on for google search and included all url categories in deny rule.

( user_agent contains 'Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko' )

@SThatipelly,

So to verify, the application signature that you have created for Internet Explorer is being matched when you are using IE? If the application is being identified correctly and the order of operations is correct in the security rulebase than this should be working without issue.

@BPry Yes the application is matching IE traffic but not matching google searches although they are decrypted.

@SThatipelly,

Can you explain a bit more on what exactly you are trying to do here?

The custom app-id that you created, by default, will stop searching for further applications; so if I have a custom app-id internet-explorer for example, I would need to explicitly check the 'Continue scanning for other Applications' checkbox under the app-id's characteristics so that the firewall knows you want it to continue searching for additional signatures.  

@BPry Sorry for my poor explanation. As you might already know, there is a critical zero day bug discovered in IE browser and Mircosft hasn't come up with patch yet. So in the meantime, I would like to block all access to internet from IE browsers. After following your suggestion, I am able to block around 60% of the decrypted traffic. But for some sites like twitter, google etc, application still shows twitter-base and google-base although the user-agent string matches my custom IE application and are being allowed. I made sure they are decrypted. 

 

@SThatipelly,

Okay, well the good news is that actually makes things easier. This simply means that for whatever reason that signature isn't matching for those sites, that's an easy thing to verify on my lab equipment and see if it's an actual application signature issue or something else.

What software version are you running at the moment? 

8.1.10. Thank you for your time testing this in your lab. 🙂

Just a suggestion, Can you block IE though GPO?

If they are anything like us, we have some bespoke 3rd party applications that only play nicely with I.E...

 

Rob  

yes, we have some internal apps that work only with IE.

Probably the most secure way is to distribute a local firewallpolicy  by GPO that blocks outbound access for the internet explorer process. This way you can still allow the access to internal websites or also specific websites in the internet (as long as they have static IPs).

  • 10133 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!