Question about outbound hostname restrictions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Question about outbound hostname restrictions

L1 Bithead

I'm familiar with user based restrictions to outbound resources, such as youtube, but is it possible with say, a regex expression, to block access to a site like youtube through a list of machines that include a name like kiosk, as in cakiosk01, cokiosk02, flakiosk03, etc. ?

 

 

1 accepted solution

Accepted Solutions

@murphyca What you actually asking for is - as already mentionned - not possible. But depending on the configurarion of your network and these computers there are some ways for this:

  • DHCP Reservations so that these computers always get rhe same IPs and you then could create addressobjects for
  • Seperate VLAN for these computers as written by @OtakarKlier (probably a good idea anyway to seperate these computers from the rest of your network)
  • Configure a default user that is logged in automatically, so you will be able to write user-based rules (as mentionned by @gwesson)
  • Parse the DHCP logs to create dynamic addressgroups which you can use as source in your policy (as proposed by @BPry)
  • Use FQDN addressobjects which the firewall will update according to the TTL of the DNS entry
  • Configure the computers browsers to use custom user agent strings and create a custom application that matches on this user agent string

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

Hello,

In the past what I have done is put the kiosks/guest machines onto their own vlan and hten write the policy around the source IP's.

 

Regards,

Cyber Elite
Cyber Elite

@murphyca,

Not something that you could do on the box. The VLAN option that @OtakarKlier presented is a good option. Otherwise you could simply collect the DHCP logs and look at which IP the machines are grabbing and add them to as an address-object with a given tag; this tag could then be used to build out a dynamic address-group. Doing this programatically would likely be best. 

As an example:

Schedule some sort of scripting language like Python to scour the DHCP logs for the machine name. Once the machine name is found grab the IP from the log and use that value to update the address object with the recorded IP through the API. Then you just need to schedule the script to pull the DHCP logs every once in a while to keep everything updated. 

L7 Applicator

Do you mean to block from a specific source by client hostname? The client's hostname is never sent as part of their HTTP request, so there would be nothing to trigger on there.

 

I'd recommend setting up user-id so that you have the username logged into the kiosks and can simply apply a URL filtering policy. 

 

If you're going TO a site with the name "kiosk" in the host header, you can set up a custom vulnerability or spyware signature using the host header as the context and a regex of "..kiosk0.+" (not tested) that could trigger for you.

@murphyca What you actually asking for is - as already mentionned - not possible. But depending on the configurarion of your network and these computers there are some ways for this:

  • DHCP Reservations so that these computers always get rhe same IPs and you then could create addressobjects for
  • Seperate VLAN for these computers as written by @OtakarKlier (probably a good idea anyway to seperate these computers from the rest of your network)
  • Configure a default user that is logged in automatically, so you will be able to write user-based rules (as mentionned by @gwesson)
  • Parse the DHCP logs to create dynamic addressgroups which you can use as source in your policy (as proposed by @BPry)
  • Use FQDN addressobjects which the firewall will update according to the TTL of the DNS entry
  • Configure the computers browsers to use custom user agent strings and create a custom application that matches on this user agent string

The challenge is over 400 remote locations feeding through corporate. The architecture would be difficult to change from that perspective. Possible, but difficult.

In speaking to PAN support, looks like we'd have to do a reverse DNS lookup for the internal hosts, which may be resource intensive. I will explore the ID of scraping the DHCP configuration though. That should be less resource intensive. The client state will be difficult to change at the moment. May be worth investigating though down the road as an alternative roadmap.

Hello,

One other thing I have done in the past is kind of is use user-id and have those kiosks and desk users excluded. What I mean is create a web browsing policy and select the source user as /domain-users, this way all domain users get the less restrictive policy. Then a second policy after that one for everything else and have a more restrictive policy. So if a user just see's a kiosk and opens the browser, they get the more restrictive policy since that IP is not mapped to a user-id.

 

Hope that makes sense.

  • 1 accepted solution
  • 3885 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!