Please check the logs if the traffic is being decrypted,
Pay attention, for Facebook site palo alto identify the application as facebook-base that's why it being blocked, for Facebook site you should add facebook-base for allowing it.
See my attachment, regular sites that palo alto identifies applicaiton as web-browsing will be match to that policy rule, if the site uses other application you need to allow that specific application.
It's still being blocked because you're only allowing 'web-browsing' and 'ssl'. Facebook has a large number of unique app-id definitions depending on what you're doing. From Applipedia:
Start with a rule allowing all apps for yourself, then use the traffic log to see the list of apps seen by the firewall when you hit that rule. Then, you can create a more complete rule to allow only what you want.
I cannot chekc the logs because it is a VM without license. I am testing the solution before invest some money on it.
I thought the main facebook page would pass on the web-browsing rule (without login into facebook), then if I log in all the extra "Apps" would need another rule.
I will give a try.
> I think they should release an application list update, which add working port 443 for web-browsing application.
> I also notice that once you decrypt traffic on 443-SSL it becomes 443-web-browsing, so policy rule that allow web-browsing on application-default will not work, because the application-default is 80.
> You need to create another policy to allow web-browsing application on 443 port.
I had to hold my tongue (well, fingers) because 9.0 hadn't been released yet, but now that it is available I can share this:
Now, in PAN-OS 9.0, if an application has a known secure port like web-browsing, your app-based allow rule will work with application-default when decrypting. Currently the app list is web-browsing, SMTP, FTP, LDAP, POP3, and IMAP. Palo Alto Networks can update that list as well via a content update.
The web-browsing application is like last resort application. web-browsing will be used only if the firewall fail to match any other application, while the traffic contain HTTP protocol. See below:
Palo Alto firewall will match facebook application even if the traffic is not decrypted (in my personal limited observations), so I am guessing it is using the SNI from the server certificate. Without decryption the firewall will may fail to match the more specfic facebook apps, but it still will know that it is facebook related.
Same goes for google, dropbox, twitter and many more well known services that Palo Alto has create application for it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!