12-12-2017 09:57 PM
Hello,
I need a guideline on how to block one particular user to access the Internet except facebook.com
I have created a policy with:
{
to outside;
from inside;
source any;
destination facebook;
source-user testuser;
category any;
application any;
service any;
hip-profiles any;
tag UserID;
action allow;
rule-type universal;
disabled no;
}
I have defined the Destination Address under Object as Type: FQDN facebook.com
However, I am getting error: This site cannot be reached.
Any other way, I can make this work?
Thanks in advance!
12-13-2017 07:04 AM
You would pretty much want something that looks like the following to do this effectivly. As @reaper has already mentioned, this isn't something that you need to use FQDN on and it's not really going to be recommended to do so since Facebook actually have a lot of different domains that they use to serve content. Facebook is able to be identified even if you are not currently doing ssl-decryption, so you're good there to.
So one rule that allows Facebook that looks something like this:
<entry name="Test-Facebook">
<to>
<member>Untrust</member>
</to>
<from>
<member>Trust</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>any</member>
</destination>
<source-user>
<member>wisleg\bpry</member>
</source-user>
<category>
<member>any</member>
</category>
<application>
<member>facebook</member>
</application>
<service>
<member>application-default</member>
</service>
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>allow</action>
</entry>If you are dead set on using a destination filter outside of app-id then the IP ranges that are assigned to Facebook can be found by running a whois call like the following.
whois -h whois.radb.net -- '-i origin AS32934' | grep ^route
Currently that is returning the following:
Netblock Description Num IPs
| 103.4.96.0/22 | 1 Temasek Avenue | 1,024 |
| 157.240.0.0/17 | Facebook, Inc. | 32,768 |
| 157.240.10.0/24 | Facebook, Inc. | 256 |
| 157.240.1.0/24 | Facebook, Inc. | 256 |
| 157.240.11.0/24 | Facebook, Inc. | 256 |
| 157.240.12.0/24 | Facebook, Inc. | 256 |
| 157.240.13.0/24 | Facebook, Inc. | 256 |
| 157.240.14.0/24 | Facebook, Inc. | 256 |
| 157.240.15.0/24 | Facebook, Inc. | 256 |
| 157.240.17.0/24 | Facebook, Inc. | 256 |
| 157.240.18.0/24 | Facebook, Inc. | 256 |
| 157.240.20.0/24 | Facebook, Inc. | 256 |
| 157.240.2.0/24 | Facebook, Inc. | 256 |
| 157.240.21.0/24 | Facebook, Inc. | 256 |
| 157.240.3.0/24 | Facebook, Inc. | 256 |
| 157.240.7.0/24 | Facebook, Inc. | 256 |
| 157.240.8.0/24 | Facebook, Inc. | 256 |
| 157.240.9.0/24 | Facebook, Inc. | 256 |
| 173.252.64.0/19 | Facebook, Inc. | 8,192 |
| 173.252.88.0/21 | Facebook, Inc. | 2,048 |
| 173.252.96.0/19 | Facebook, Inc. | 8,192 |
| 179.60.192.0/22 | Edge Network Services Ltd | 1,024 |
| 179.60.192.0/24 | Edge Network Services Ltd | 256 |
| 179.60.193.0/24 | Edge Network Services Ltd | 256 |
| 179.60.195.0/24 | Edge Network Services Ltd | 256 |
| 185.60.216.0/22 | Facebook Ireland Ltd | 1,024 |
| 185.60.216.0/24 | Facebook Ireland Ltd | 256 |
| 185.60.218.0/24 | Facebook Ireland Ltd | 256 |
| 185.60.219.0/24 | Facebook Ireland Ltd | 256 |
| 204.15.20.0/22 | Facebook, Inc. | 1,024 |
| 31.13.24.0/21 | Facebook Ireland Ltd | 2,048 |
| 31.13.64.0/18 | Facebook Ireland Ltd | 16,384 |
| 31.13.64.0/19 | Facebook Ireland Ltd | 8,192 |
| 31.13.64.0/24 | 256 | |
| 31.13.65.0/24 | 256 | |
| 31.13.66.0/24 | 256 | |
| 31.13.67.0/24 | 256 | |
| 31.13.69.0/24 | 256 | |
| 31.13.70.0/24 | 256 | |
| 31.13.71.0/24 | 256 | |
| 31.13.72.0/24 | 256 | |
| 31.13.73.0/24 | 256 | |
| 31.13.75.0/24 | 256 | |
| 31.13.76.0/24 | 256 | |
| 31.13.77.0/24 | 256 | |
| 31.13.78.0/24 | 256 | |
| 31.13.80.0/24 | 256 | |
| 31.13.81.0/24 | 256 | |
| 31.13.82.0/24 | 256 | |
| 31.13.83.0/24 | 256 | |
| 31.13.84.0/24 | 256 | |
| 31.13.85.0/24 | 256 | |
| 31.13.86.0/24 | 256 | |
| 31.13.87.0/24 | 256 | |
| 31.13.90.0/24 | 256 | |
| 31.13.91.0/24 | 256 | |
| 31.13.92.0/24 | 256 | |
| 31.13.94.0/24 | 256 | |
| 31.13.95.0/24 | 256 | |
| 31.13.96.0/19 | Facebook Ireland Ltd | 8,192 |
| 45.64.40.0/22 | Facebook Singapore Pte Ltd. | 1,024 |
| 66.220.144.0/20 | Facebook, Inc. | 4,096 |
| 66.220.144.0/21 | Facebook, Inc. | 2,048 |
| 66.220.152.0/21 | Facebook, Inc. | 2,048 |
| 69.171.224.0/19 | Facebook, Inc. | 8,192 |
| 69.171.224.0/20 | Facebook, Inc. | 4,096 |
| 69.171.239.0/24 | Facebook, Inc. | 256 |
| 69.171.240.0/20 | Facebook, Inc. | 4,096 |
| 69.171.255.0/24 | Facebook, Inc. | 256 |
| 69.63.176.0/20 | Facebook, Inc. | 4,096 |
| 69.63.176.0/21 | Facebook, Inc. | 2,048 |
| 69.63.184.0/21 | Facebook, Inc. | 2,048 |
| 74.119.76.0/22 | Facebook, Inc. | 1,024 |
If you do decide to go with the destination IP filter I would create all of the listed IP Ranges as an address object with a tag called 'Facebook', and then create a dynamic address-group that is tied to that tag. That way if/when Facebook adds another IP range, you just need to add it with the proper tag instead of updating the security policy itself.
12-13-2017 03:15 AM
@Farzana : you'll want to allow the facebook application instead of a FQDN object
since facebook is hosted on 'the cloud' it will consist of many individual FQDN objects to signify each server. you'd need fqdn objects for many different servers for this to work
12-13-2017 07:04 AM
You would pretty much want something that looks like the following to do this effectivly. As @reaper has already mentioned, this isn't something that you need to use FQDN on and it's not really going to be recommended to do so since Facebook actually have a lot of different domains that they use to serve content. Facebook is able to be identified even if you are not currently doing ssl-decryption, so you're good there to.
So one rule that allows Facebook that looks something like this:
<entry name="Test-Facebook">
<to>
<member>Untrust</member>
</to>
<from>
<member>Trust</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>any</member>
</destination>
<source-user>
<member>wisleg\bpry</member>
</source-user>
<category>
<member>any</member>
</category>
<application>
<member>facebook</member>
</application>
<service>
<member>application-default</member>
</service>
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>allow</action>
</entry>If you are dead set on using a destination filter outside of app-id then the IP ranges that are assigned to Facebook can be found by running a whois call like the following.
whois -h whois.radb.net -- '-i origin AS32934' | grep ^route
Currently that is returning the following:
Netblock Description Num IPs
| 103.4.96.0/22 | 1 Temasek Avenue | 1,024 |
| 157.240.0.0/17 | Facebook, Inc. | 32,768 |
| 157.240.10.0/24 | Facebook, Inc. | 256 |
| 157.240.1.0/24 | Facebook, Inc. | 256 |
| 157.240.11.0/24 | Facebook, Inc. | 256 |
| 157.240.12.0/24 | Facebook, Inc. | 256 |
| 157.240.13.0/24 | Facebook, Inc. | 256 |
| 157.240.14.0/24 | Facebook, Inc. | 256 |
| 157.240.15.0/24 | Facebook, Inc. | 256 |
| 157.240.17.0/24 | Facebook, Inc. | 256 |
| 157.240.18.0/24 | Facebook, Inc. | 256 |
| 157.240.20.0/24 | Facebook, Inc. | 256 |
| 157.240.2.0/24 | Facebook, Inc. | 256 |
| 157.240.21.0/24 | Facebook, Inc. | 256 |
| 157.240.3.0/24 | Facebook, Inc. | 256 |
| 157.240.7.0/24 | Facebook, Inc. | 256 |
| 157.240.8.0/24 | Facebook, Inc. | 256 |
| 157.240.9.0/24 | Facebook, Inc. | 256 |
| 173.252.64.0/19 | Facebook, Inc. | 8,192 |
| 173.252.88.0/21 | Facebook, Inc. | 2,048 |
| 173.252.96.0/19 | Facebook, Inc. | 8,192 |
| 179.60.192.0/22 | Edge Network Services Ltd | 1,024 |
| 179.60.192.0/24 | Edge Network Services Ltd | 256 |
| 179.60.193.0/24 | Edge Network Services Ltd | 256 |
| 179.60.195.0/24 | Edge Network Services Ltd | 256 |
| 185.60.216.0/22 | Facebook Ireland Ltd | 1,024 |
| 185.60.216.0/24 | Facebook Ireland Ltd | 256 |
| 185.60.218.0/24 | Facebook Ireland Ltd | 256 |
| 185.60.219.0/24 | Facebook Ireland Ltd | 256 |
| 204.15.20.0/22 | Facebook, Inc. | 1,024 |
| 31.13.24.0/21 | Facebook Ireland Ltd | 2,048 |
| 31.13.64.0/18 | Facebook Ireland Ltd | 16,384 |
| 31.13.64.0/19 | Facebook Ireland Ltd | 8,192 |
| 31.13.64.0/24 | 256 | |
| 31.13.65.0/24 | 256 | |
| 31.13.66.0/24 | 256 | |
| 31.13.67.0/24 | 256 | |
| 31.13.69.0/24 | 256 | |
| 31.13.70.0/24 | 256 | |
| 31.13.71.0/24 | 256 | |
| 31.13.72.0/24 | 256 | |
| 31.13.73.0/24 | 256 | |
| 31.13.75.0/24 | 256 | |
| 31.13.76.0/24 | 256 | |
| 31.13.77.0/24 | 256 | |
| 31.13.78.0/24 | 256 | |
| 31.13.80.0/24 | 256 | |
| 31.13.81.0/24 | 256 | |
| 31.13.82.0/24 | 256 | |
| 31.13.83.0/24 | 256 | |
| 31.13.84.0/24 | 256 | |
| 31.13.85.0/24 | 256 | |
| 31.13.86.0/24 | 256 | |
| 31.13.87.0/24 | 256 | |
| 31.13.90.0/24 | 256 | |
| 31.13.91.0/24 | 256 | |
| 31.13.92.0/24 | 256 | |
| 31.13.94.0/24 | 256 | |
| 31.13.95.0/24 | 256 | |
| 31.13.96.0/19 | Facebook Ireland Ltd | 8,192 |
| 45.64.40.0/22 | Facebook Singapore Pte Ltd. | 1,024 |
| 66.220.144.0/20 | Facebook, Inc. | 4,096 |
| 66.220.144.0/21 | Facebook, Inc. | 2,048 |
| 66.220.152.0/21 | Facebook, Inc. | 2,048 |
| 69.171.224.0/19 | Facebook, Inc. | 8,192 |
| 69.171.224.0/20 | Facebook, Inc. | 4,096 |
| 69.171.239.0/24 | Facebook, Inc. | 256 |
| 69.171.240.0/20 | Facebook, Inc. | 4,096 |
| 69.171.255.0/24 | Facebook, Inc. | 256 |
| 69.63.176.0/20 | Facebook, Inc. | 4,096 |
| 69.63.176.0/21 | Facebook, Inc. | 2,048 |
| 69.63.184.0/21 | Facebook, Inc. | 2,048 |
| 74.119.76.0/22 | Facebook, Inc. | 1,024 |
If you do decide to go with the destination IP filter I would create all of the listed IP Ranges as an address object with a tag called 'Facebook', and then create a dynamic address-group that is tied to that tag. That way if/when Facebook adds another IP range, you just need to add it with the proper tag instead of updating the security policy itself.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
