I am trying to block Internet Explorer traffic going out to the internet from my internal users. I have decryption in place and followed this article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEdCAK
I am seeing some websites being blocked but some of them are not despite decryption. Has anyone tried blocking IE?
Please let me know.
I find it slightly odd that the article is essentially just looking for Trident/ and isn't specifying the actual User-Agent string by itself. You could do something like below to limit this to just the User-Agent string, which is where this should be in the header anyways.
Also, keep in mind that the actual User-Agent string is easy to modify, so this is by far not going to be a fail-proof method of blocking IE.
@BPry Thank you so much for your response.
I followed your suggestion and am blocking some sites. but, I can google search any webpage with no issue. I checked the user-agent string for the searches and they match my application but is still being allowed. I made sure decryption is turned on for google search and included all url categories in deny rule.
( user_agent contains 'Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko' )
So to verify, the application signature that you have created for Internet Explorer is being matched when you are using IE? If the application is being identified correctly and the order of operations is correct in the security rulebase than this should be working without issue.
Can you explain a bit more on what exactly you are trying to do here?
The custom app-id that you created, by default, will stop searching for further applications; so if I have a custom app-id internet-explorer for example, I would need to explicitly check the 'Continue scanning for other Applications' checkbox under the app-id's characteristics so that the firewall knows you want it to continue searching for additional signatures.
@BPry Sorry for my poor explanation. As you might already know, there is a critical zero day bug discovered in IE browser and Mircosft hasn't come up with patch yet. So in the meantime, I would like to block all access to internet from IE browsers. After following your suggestion, I am able to block around 60% of the decrypted traffic. But for some sites like twitter, google etc, application still shows twitter-base and google-base although the user-agent string matches my custom IE application and are being allowed. I made sure they are decrypted.
Okay, well the good news is that actually makes things easier. This simply means that for whatever reason that signature isn't matching for those sites, that's an easy thing to verify on my lab equipment and see if it's an actual application signature issue or something else.
What software version are you running at the moment?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!