This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Instagram allowed in the security policy, but the pictures are not displayed correctly on the website

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Instagram allowed in the security policy, but the pictures are not displayed correctly on the website

A_Adamski
L2 Linker

‎06-04-2021 05:42 AM

Dear Palo Alto Community Members,

 

I'm tiring to set up a security policy based on app-ID allowing Instagram but blocking Facebook.

Unfortunately, I can't get it to work, and I'm not sure what I might be missing here.

 

The security policy allows all the needed applications, and I've double-checked and added all the required application dependencies, but when going to the webpage we've noticed that the pictures are not loading.The security policy allowing InstagramThe security policy allowing Instagram

 

After further testing, we could confirm that after allowing facebook-base, the images were loading fine. But if we remove facebook-base, Instagram no longer will load the photos although the website will work fine.

This has been tested in Chrome, Firefox, and Edge, all give the same results and display the same (without the pictures).The Issue - No picturesThe Issue - No pictures

 

Is it possible this is a restriction due to the fact that Facebook owns Instagram, and they likely share the infrastructure where the images are being hosted?
Is it makes sense to add the "instagram-base" to allowed applications in the policy if Instagram is already listed there?
Is there any known issue that could explain my issue, or I'm just simply miss something in configuration?

 

Could some please share his thoughts on this issue and advice?

I will really appreciate some help resolving it.


Thank you in advance!
Regards,
Arek

0 Likes Likes
11 REPLIES 11

vsys_remo
Cyber Elite
Cyber Elite

‎06-04-2021 08:43 AM

Hi @A_Adamski 

I assume you are already right with your assumption, that this issue is because instagram is owned by facebook and they probably share some parts of the infrastructure. Adding instagram- base is not required as you have already added instagram.

Did you check the urls, that are opened in the sessions where the firewalls detect the application facebook base? With this information you could create a new security policy where you add the application facebook-base together with a custom url category where you specify only the urls required to load the images. 

Astardzhiev
Cyber Elite
Cyber Elite

‎06-07-2021 01:12 PM

Hi @A_Adamski ,

 

@nikoolayy1  has post a very instersting topic a while ago, you may want to check it https://live.paloaltonetworks.com/t5/automation-api-discussions/version-10-no-7-byte-limit-for-sinat...

 

It sounds like really intersting idea, but I personaly haven't any chance to try it.

0 Likes Likes

A_Adamski
L2 Linker
In response to vsys_remo

‎06-08-2021 03:53 AM

 

 

Hi @vsys_remo,

 

Thank you for your response and the suggestion.

 

It's kinda strange as I thought that even if the change within Instagram, and moving ownership (and most likely some part of infrastructure and services) to Facebook, should not change how the application is recognized/classified by the firewall.

So I guess there is no way to get it to work when using just the application IDs, right?

*Is this not maybe something for the Palo Alto team to look into internally and update/correct the APP-ID info for Instagram?

 

I think I do not have many options left here, and I'll need to try and follow your advice and add the custom URL category to the policy.

 

I wish you a great day ahead!

0 Likes Likes

nikoolayy1
Cyber Elite
Cyber Elite
In response to A_Adamski

‎06-09-2021 04:21 AM

For application request to Palo Alto if needed follow:

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clu2CAC

 

 

If they say no you may try to write it youself.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks