06-04-2021 05:42 AM
Dear Palo Alto Community Members,
I'm tiring to set up a security policy based on app-ID allowing Instagram but blocking Facebook.
Unfortunately, I can't get it to work, and I'm not sure what I might be missing here.
The security policy allows all the needed applications, and I've double-checked and added all the required application dependencies, but when going to the webpage we've noticed that the pictures are not loading.The security policy allowing Instagram
After further testing, we could confirm that after allowing facebook-base, the images were loading fine. But if we remove facebook-base, Instagram no longer will load the photos although the website will work fine.
This has been tested in Chrome, Firefox, and Edge, all give the same results and display the same (without the pictures).The Issue - No pictures
Is it possible this is a restriction due to the fact that Facebook owns Instagram, and they likely share the infrastructure where the images are being hosted?
Is it makes sense to add the "instagram-base" to allowed applications in the policy if Instagram is already listed there?
Is there any known issue that could explain my issue, or I'm just simply miss something in configuration?
Could some please share his thoughts on this issue and advice?
I will really appreciate some help resolving it.
Thank you in advance!
Regards,
Arek
06-04-2021 08:43 AM
Hi @A_Adamski
I assume you are already right with your assumption, that this issue is because instagram is owned by facebook and they probably share some parts of the infrastructure. Adding instagram- base is not required as you have already added instagram.
Did you check the urls, that are opened in the sessions where the firewalls detect the application facebook base? With this information you could create a new security policy where you add the application facebook-base together with a custom url category where you specify only the urls required to load the images.
06-07-2021 01:12 PM
Hi @A_Adamski ,
@nikoolayy1 has post a very instersting topic a while ago, you may want to check it https://live.paloaltonetworks.com/t5/automation-api-discussions/version-10-no-7-byte-limit-for-sinat...
It sounds like really intersting idea, but I personaly haven't any chance to try it.
06-08-2021 03:53 AM
Hi @vsys_remo,
Thank you for your response and the suggestion.
It's kinda strange as I thought that even if the change within Instagram, and moving ownership (and most likely some part of infrastructure and services) to Facebook, should not change how the application is recognized/classified by the firewall.
So I guess there is no way to get it to work when using just the application IDs, right?
*Is this not maybe something for the Palo Alto team to look into internally and update/correct the APP-ID info for Instagram?
I think I do not have many options left here, and I'll need to try and follow your advice and add the custom URL category to the policy.
I wish you a great day ahead!
06-09-2021 04:21 AM
For application request to Palo Alto if needed follow:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clu2CAC
If they say no you may try to write it youself.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!