How to block one particular user to access the Internet except facebook

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to block one particular user to access the Internet except facebook

L4 Transporter

Hello,

 

I need a guideline on how to block one particular user to access the Internet except facebook.com

 

I have created a policy with:

 

 {

  to outside;

  from inside;

  source any;

  destination facebook;

  source-user testuser;

  category any;

  application any;

  service any;

  hip-profiles any;

  tag UserID;

  action allow;

  rule-type universal;

  disabled no;

}

 

I have defined the Destination Address under Object as Type: FQDN facebook.com

 

However, I am getting error: This site cannot be reached.

 

Any other way, I can make this work?

 

Thanks in advance!

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@Farzana,

You would pretty much want something that looks like the following to do this effectivly. As @reaper has already mentioned, this isn't something that you need to use FQDN on and it's not really going to be recommended to do so since Facebook actually have a lot of different domains that they use to serve content. Facebook is able to be identified even if you are not currently doing ssl-decryption, so you're good there to.

So one rule that allows Facebook that looks something like this: 

<entry name="Test-Facebook">
                  <to>
                    <member>Untrust</member>
                  </to>
                  <from>
                    <member>Trust</member>
                  </from>
                  <source>
                    <member>any</member>
                  </source>
                  <destination>
                    <member>any</member>
                  </destination>
                  <source-user>
                    <member>wisleg\bpry</member>
                  </source-user>
                  <category>
                    <member>any</member>
                  </category>
                  <application>
                    <member>facebook</member>
                  </application>
                  <service>
                    <member>application-default</member>
                  </service>
                  <hip-profiles>
                    <member>any</member>
                  </hip-profiles>
                  <action>allow</action>
                </entry>

If you are dead set on using a destination filter outside of app-id then the IP ranges that are assigned to Facebook can be found by running a whois call like the following.

whois -h whois.radb.net -- '-i origin AS32934' | grep ^route

Currently that is returning the following: 

Netblock Description Num IPs

103.4.96.0/22 1 Temasek Avenue1,024
157.240.0.0/17 Facebook, Inc.32,768
157.240.10.0/24 Facebook, Inc.256
157.240.1.0/24 Facebook, Inc.256
157.240.11.0/24 Facebook, Inc.256
157.240.12.0/24 Facebook, Inc.256
157.240.13.0/24 Facebook, Inc.256
157.240.14.0/24 Facebook, Inc.256
157.240.15.0/24 Facebook, Inc.256
157.240.17.0/24 Facebook, Inc.256
157.240.18.0/24 Facebook, Inc.256
157.240.20.0/24 Facebook, Inc.256
157.240.2.0/24 Facebook, Inc.256
157.240.21.0/24 Facebook, Inc.256
157.240.3.0/24 Facebook, Inc.256
157.240.7.0/24 Facebook, Inc.256
157.240.8.0/24 Facebook, Inc.256
157.240.9.0/24 Facebook, Inc.256
173.252.64.0/19 Facebook, Inc.8,192
173.252.88.0/21 Facebook, Inc.2,048
173.252.96.0/19 Facebook, Inc.8,192
179.60.192.0/22 Edge Network Services Ltd1,024
179.60.192.0/24 Edge Network Services Ltd256
179.60.193.0/24 Edge Network Services Ltd256
179.60.195.0/24 Edge Network Services Ltd256
185.60.216.0/22 Facebook Ireland Ltd1,024
185.60.216.0/24 Facebook Ireland Ltd256
185.60.218.0/24 Facebook Ireland Ltd256
185.60.219.0/24 Facebook Ireland Ltd256
204.15.20.0/22 Facebook, Inc.1,024
31.13.24.0/21 Facebook Ireland Ltd2,048
31.13.64.0/18 Facebook Ireland Ltd16,384
31.13.64.0/19 Facebook Ireland Ltd8,192
31.13.64.0/24 Facebook256
31.13.65.0/24 Facebook256
31.13.66.0/24 Facebook256
31.13.67.0/24 Facebook256
31.13.69.0/24 Facebook256
31.13.70.0/24 Facebook256
31.13.71.0/24 Facebook256
31.13.72.0/24 Facebook256
31.13.73.0/24 Facebook256
31.13.75.0/24 Facebook256
31.13.76.0/24 Facebook256
31.13.77.0/24 Facebook256
31.13.78.0/24 Facebook256
31.13.80.0/24 Facebook256
31.13.81.0/24 Facebook256
31.13.82.0/24 Facebook256
31.13.83.0/24 Facebook256
31.13.84.0/24 Facebook256
31.13.85.0/24 Facebook256
31.13.86.0/24 Facebook256
31.13.87.0/24 Facebook256
31.13.90.0/24 Facebook256
31.13.91.0/24 Facebook256
31.13.92.0/24 Facebook256
31.13.94.0/24 Facebook256
31.13.95.0/24 Facebook256
31.13.96.0/19 Facebook Ireland Ltd8,192
45.64.40.0/22 Facebook Singapore Pte Ltd.1,024
66.220.144.0/20 Facebook, Inc.4,096
66.220.144.0/21 Facebook, Inc.2,048
66.220.152.0/21 Facebook, Inc.2,048
69.171.224.0/19 Facebook, Inc.8,192
69.171.224.0/20 Facebook, Inc.4,096
69.171.239.0/24 Facebook, Inc.256
69.171.240.0/20 Facebook, Inc.4,096
69.171.255.0/24 Facebook, Inc.256
69.63.176.0/20 Facebook, Inc.4,096
69.63.176.0/21 Facebook, Inc.2,048
69.63.184.0/21 Facebook, Inc.2,048
74.119.76.0/22 Facebook, Inc.1,024

If you do decide to go with the destination IP filter I would create all of the listed IP Ranges as an address object with a tag called 'Facebook', and then create a dynamic address-group that is tied to that tag. That way if/when Facebook adds another IP range, you just need to add it with the proper tag instead of updating the security policy itself.  

 

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

@Farzana : you'll want to allow the facebook application instead of a FQDN object

 

since facebook is hosted on 'the cloud' it will consist of many individual FQDN objects to signify each server. you'd need fqdn objects for many different servers for this to work

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Cyber Elite
Cyber Elite

@Farzana,

You would pretty much want something that looks like the following to do this effectivly. As @reaper has already mentioned, this isn't something that you need to use FQDN on and it's not really going to be recommended to do so since Facebook actually have a lot of different domains that they use to serve content. Facebook is able to be identified even if you are not currently doing ssl-decryption, so you're good there to.

So one rule that allows Facebook that looks something like this: 

<entry name="Test-Facebook">
                  <to>
                    <member>Untrust</member>
                  </to>
                  <from>
                    <member>Trust</member>
                  </from>
                  <source>
                    <member>any</member>
                  </source>
                  <destination>
                    <member>any</member>
                  </destination>
                  <source-user>
                    <member>wisleg\bpry</member>
                  </source-user>
                  <category>
                    <member>any</member>
                  </category>
                  <application>
                    <member>facebook</member>
                  </application>
                  <service>
                    <member>application-default</member>
                  </service>
                  <hip-profiles>
                    <member>any</member>
                  </hip-profiles>
                  <action>allow</action>
                </entry>

If you are dead set on using a destination filter outside of app-id then the IP ranges that are assigned to Facebook can be found by running a whois call like the following.

whois -h whois.radb.net -- '-i origin AS32934' | grep ^route

Currently that is returning the following: 

Netblock Description Num IPs

103.4.96.0/22 1 Temasek Avenue1,024
157.240.0.0/17 Facebook, Inc.32,768
157.240.10.0/24 Facebook, Inc.256
157.240.1.0/24 Facebook, Inc.256
157.240.11.0/24 Facebook, Inc.256
157.240.12.0/24 Facebook, Inc.256
157.240.13.0/24 Facebook, Inc.256
157.240.14.0/24 Facebook, Inc.256
157.240.15.0/24 Facebook, Inc.256
157.240.17.0/24 Facebook, Inc.256
157.240.18.0/24 Facebook, Inc.256
157.240.20.0/24 Facebook, Inc.256
157.240.2.0/24 Facebook, Inc.256
157.240.21.0/24 Facebook, Inc.256
157.240.3.0/24 Facebook, Inc.256
157.240.7.0/24 Facebook, Inc.256
157.240.8.0/24 Facebook, Inc.256
157.240.9.0/24 Facebook, Inc.256
173.252.64.0/19 Facebook, Inc.8,192
173.252.88.0/21 Facebook, Inc.2,048
173.252.96.0/19 Facebook, Inc.8,192
179.60.192.0/22 Edge Network Services Ltd1,024
179.60.192.0/24 Edge Network Services Ltd256
179.60.193.0/24 Edge Network Services Ltd256
179.60.195.0/24 Edge Network Services Ltd256
185.60.216.0/22 Facebook Ireland Ltd1,024
185.60.216.0/24 Facebook Ireland Ltd256
185.60.218.0/24 Facebook Ireland Ltd256
185.60.219.0/24 Facebook Ireland Ltd256
204.15.20.0/22 Facebook, Inc.1,024
31.13.24.0/21 Facebook Ireland Ltd2,048
31.13.64.0/18 Facebook Ireland Ltd16,384
31.13.64.0/19 Facebook Ireland Ltd8,192
31.13.64.0/24 Facebook256
31.13.65.0/24 Facebook256
31.13.66.0/24 Facebook256
31.13.67.0/24 Facebook256
31.13.69.0/24 Facebook256
31.13.70.0/24 Facebook256
31.13.71.0/24 Facebook256
31.13.72.0/24 Facebook256
31.13.73.0/24 Facebook256
31.13.75.0/24 Facebook256
31.13.76.0/24 Facebook256
31.13.77.0/24 Facebook256
31.13.78.0/24 Facebook256
31.13.80.0/24 Facebook256
31.13.81.0/24 Facebook256
31.13.82.0/24 Facebook256
31.13.83.0/24 Facebook256
31.13.84.0/24 Facebook256
31.13.85.0/24 Facebook256
31.13.86.0/24 Facebook256
31.13.87.0/24 Facebook256
31.13.90.0/24 Facebook256
31.13.91.0/24 Facebook256
31.13.92.0/24 Facebook256
31.13.94.0/24 Facebook256
31.13.95.0/24 Facebook256
31.13.96.0/19 Facebook Ireland Ltd8,192
45.64.40.0/22 Facebook Singapore Pte Ltd.1,024
66.220.144.0/20 Facebook, Inc.4,096
66.220.144.0/21 Facebook, Inc.2,048
66.220.152.0/21 Facebook, Inc.2,048
69.171.224.0/19 Facebook, Inc.8,192
69.171.224.0/20 Facebook, Inc.4,096
69.171.239.0/24 Facebook, Inc.256
69.171.240.0/20 Facebook, Inc.4,096
69.171.255.0/24 Facebook, Inc.256
69.63.176.0/20 Facebook, Inc.4,096
69.63.176.0/21 Facebook, Inc.2,048
69.63.184.0/21 Facebook, Inc.2,048
74.119.76.0/22 Facebook, Inc.1,024

If you do decide to go with the destination IP filter I would create all of the listed IP Ranges as an address object with a tag called 'Facebook', and then create a dynamic address-group that is tied to that tag. That way if/when Facebook adds another IP range, you just need to add it with the proper tag instead of updating the security policy itself.  

 

  • 1 accepted solution
  • 2449 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!