Dear Palo Alto Community Members,
I'm tiring to set up a security policy based on app-ID allowing Instagram but blocking Facebook.
Unfortunately, I can't get it to work, and I'm not sure what I might be missing here.
The security policy allows all the needed applications, and I've double-checked and added all the required application dependencies, but when going to the webpage we've noticed that the pictures are not loading.
After further testing, we could confirm that after allowing facebook-base, the images were loading fine. But if we remove facebook-base, Instagram no longer will load the photos although the website will work fine.
This has been tested in Chrome, Firefox, and Edge, all give the same results and display the same (without the pictures).
Is it possible this is a restriction due to the fact that Facebook owns Instagram, and they likely share the infrastructure where the images are being hosted?
Is it makes sense to add the "instagram-base" to allowed applications in the policy if Instagram is already listed there?
Is there any known issue that could explain my issue, or I'm just simply miss something in configuration?
Could some please share his thoughts on this issue and advice?
I will really appreciate some help resolving it.
Thank you in advance!
I assume you are already right with your assumption, that this issue is because instagram is owned by facebook and they probably share some parts of the infrastructure. Adding instagram- base is not required as you have already added instagram.
Did you check the urls, that are opened in the sessions where the firewalls detect the application facebook base? With this information you could create a new security policy where you add the application facebook-base together with a custom url category where you specify only the urls required to load the images.
Hi @A_Adamski ,
@NikolayDimitrov has post a very instersting topic a while ago, you may want to check it https://live.paloaltonetworks.com/t5/automation-api-discussions/version-10-no-7-byte-limit-for-sinat...
It sounds like really intersting idea, but I personaly haven't any chance to try it.
Thank you for your response and the suggestion.
It's kinda strange as I thought that even if the change within Instagram, and moving ownership (and most likely some part of infrastructure and services) to Facebook, should not change how the application is recognized/classified by the firewall.
So I guess there is no way to get it to work when using just the application IDs, right?
*Is this not maybe something for the Palo Alto team to look into internally and update/correct the APP-ID info for Instagram?
I think I do not have many options left here, and I'll need to try and follow your advice and add the custom URL category to the policy.
I wish you a great day ahead!
I've tried to create the custom URL category and used the URL profile attached to the security policy allowing the facebook-base and the URLs I've listed in the URL category. During my checks I could see that the Instagram website is connecting to some sites related to Facebook: "connect.facebook.net", "*.fna.fbcdn.net", and the "facebook.com".
*(I assume the second one belongs to Facebook too)
The goal here is to allow access to the Instagram website (along with the pictures which for some reason seems to be hosted at the Facebook site), but at the same time to block access to Facebook.
So I've created an additional security policy on top of the one allowing Instagram traffic in order to block access to the Facebook application and I've used another custom URL where I've listed the "facebook.com" with action to "block".
Unfortunately, this did not work as I've expected and I was still able to access the facebook.com websites. The Instagram website was working correctly and I could see the pictures loading fine, but at the same time, Facebook.com was still not blocked (and that's not what we want).
This should work, so I'm really not sure what I've might be still missing.
Could you please help me understand if I'm doing something wrong? And maybe even point me out in the correct direction?
I will appreciate any help on that matter.
Thank you in advance and kind regards,
I guess, that I've found my mistake. The first security policy (on the top to block facebook.com) should be "allowing" the traffic so then it could be blocked by the URL profile.... but in my case, I've set that policy to "deny" so the profile will never kick in.
But it does not explain why did I not have any hits for that rule. So I will be requesting access to the PA lab so I could play with it a bit more.
Please let me know in case if someone has any additional suggestions
I've checked the conversation, but I do not really follow it... I guess it's out of my understanding as I'm not sure how it's connected to my issue nor how it could help me.
I'm sorry but I'm not so experienced and knowledgeable in regards to Palo Alto as I would like to be.
And thanks for your help!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!