Instagram allowed in the security policy, but the pictures are not displayed correctly on the website

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Instagram allowed in the security policy, but the pictures are not displayed correctly on the website

L2 Linker

Dear Palo Alto Community Members,

 

I'm tiring to set up a security policy based on app-ID allowing Instagram but blocking Facebook.

Unfortunately, I can't get it to work, and I'm not sure what I might be missing here.

 

The security policy allows all the needed applications, and I've double-checked and added all the required application dependencies, but when going to the webpage we've noticed that the pictures are not loading.The security policy allowing InstagramThe security policy allowing Instagram

 

After further testing, we could confirm that after allowing facebook-base, the images were loading fine. But if we remove facebook-base, Instagram no longer will load the photos although the website will work fine.

This has been tested in Chrome, Firefox, and Edge, all give the same results and display the same (without the pictures).The Issue - No picturesThe Issue - No pictures

 

Is it possible this is a restriction due to the fact that Facebook owns Instagram, and they likely share the infrastructure where the images are being hosted?
Is it makes sense to add the "instagram-base" to allowed applications in the policy if Instagram is already listed there?
Is there any known issue that could explain my issue, or I'm just simply miss something in configuration?

 

Could some please share his thoughts on this issue and advice?

I will really appreciate some help resolving it.


Thank you in advance!
Regards,
Arek

11 REPLIES 11

L7 Applicator

Hi @A_Adamski 

I assume you are already right with your assumption, that this issue is because instagram is owned by facebook and they probably share some parts of the infrastructure. Adding instagram- base is not required as you have already added instagram.

Did you check the urls, that are opened in the sessions where the firewalls detect the application facebook base? With this information you could create a new security policy where you add the application facebook-base together with a custom url category where you specify only the urls required to load the images. 

Hi @A_Adamski ,

 

@nikoolayy1  has post a very instersting topic a while ago, you may want to check it https://live.paloaltonetworks.com/t5/automation-api-discussions/version-10-no-7-byte-limit-for-sinat...

 

It sounds like really intersting idea, but I personaly haven't any chance to try it.

 

 

Hi @Remo,

 

Thank you for your response and the suggestion.

 

It's kinda strange as I thought that even if the change within Instagram, and moving ownership (and most likely some part of infrastructure and services) to Facebook, should not change how the application is recognized/classified by the firewall.

So I guess there is no way to get it to work when using just the application IDs, right?

*Is this not maybe something for the Palo Alto team to look into internally and update/correct the APP-ID info for Instagram?

 

I think I do not have many options left here, and I'll need to try and follow your advice and add the custom URL category to the policy.

 

I wish you a great day ahead!

For application request to Palo Alto if needed follow:

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clu2CAC

 

 

If they say no you may try to write it youself.

Hi @vsys_remo,

 

I've tried to create the custom URL category and used the URL profile attached to the security policy allowing the facebook-base and the URLs I've listed in the URL category. During my checks I could see that the Instagram website is connecting to some sites related to Facebook: "connect.facebook.net", "*.fna.fbcdn.net", and the "facebook.com".
*(I assume the second one belongs to Facebook too)

Instagram_website_urls.PNG

 

The goal here is to allow access to the Instagram website (along with the pictures which for some reason seems to be hosted at the Facebook site), but at the same time to block access to Facebook.

 

Security-policies_with_profiles.PNG
So I've created an additional security policy on top of the one allowing Instagram traffic in order to block access to the Facebook application and I've used another custom URL where I've listed the "facebook.com" with action to "block".

URL_Category_filter-profiles.PNG

Unfortunately, this did not work as I've expected and I was still able to access the facebook.com websites. The Instagram website was working correctly and I could see the pictures loading fine, but at the same time, Facebook.com was still not blocked (and that's not what we want).

 

This should work, so I'm really not sure what I've might be still missing.

Could you please help me understand if I'm doing something wrong? And maybe even point me out in the correct direction?

 

I will appreciate any help on that matter.


Thank you in advance and kind regards,
Arek

I guess, that I've found my mistake. The first security policy (on the top to block facebook.com) should be "allowing" the traffic so then it could be blocked by the URL profile.... but in my case, I've set that policy to "deny" so the profile will never kick in.

But it does not explain why did I not have any hits for that rule. So I will be requesting access to the PA lab so I could play with it a bit more.

 

Please let me know in case if someone has any additional suggestions 

 

 

 

Hi Alexander,

 

I've checked the conversation, but I do not really follow it... I guess it's out of my understanding as I'm not sure how it's connected to my issue nor how it could help me.

 

I'm sorry but I'm not so experienced and knowledgeable in regards to Palo Alto as I would like to be.

And thanks for your help!

 

Cheers,

Arek

Hi Nicolaj,

 

Thanks for sharing, this might be useful info and a place to start.

 

 

L2 Linker

Are you running SSL decryption? I had this problem with instagram when TLS 1.3 was first implemented but it's been working fine for a while. Just recently instagram stopped working with decryption turned on and the app would just crash when opening. I had to add an SSL decryption exclusion for the following to get it to work again:

 

*.instagram.com

instagram.*.fna.fbcdn.net

Hi M_kallergis,

Thank you for your input.

 

We've used a generic wildcard to catch and encrypt all the traffic (*.*).
The nature of the problem will not change if we specify other wildcards, as we will still be forced to add facebook-base to get the Instagram page to load fully.

 

In the meantime, the customer decided to go some other way to achieve this. 

It will be nice to know if someone has found a way to get it to work, cuz unfortunately I will not be spending any more time on this issue.

 

Thank you all for your help!

 

Cheers,

Arek

L5 Sessionator

+1 to SSL decryption here. Some services start using QUIC (are you blocking that at the top of the hierarchy?) which sometimes confuses the APP-ID. If you are able to get it to default to a decrypt-able cipher suite, best shot. 

Help the community! Add tags and mark solutions please.
  • 9137 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!