I have PA-820 with fully updated signatures, I have blocked Teamviewer via security policy. PA is recognising the application and traffic log showing that teamviewer connection is blocked but on host machine teamviewer is running and outbound / inbound teamviewer connections are sucessful. I have also tried by applying ssl decryption but still same result. Need help in this regard.
If you have logs proving that the Teamviewer app-id is properly getting blocked when your security rule is applied then this would more then likely be due to traffic getting mis-identified, likely to 'ssl'. To get this to work properly you would need to apply ssl-decryption.
Out of curiosity are you blocking all of the app-ids? You would either include the app-id container of 'teamviewer' and then 'teamviewer-web' or you would need to list out all 4 individually. Generally in my experience the firewall is rather good at identifying teamviewer traffic and blocking it when you are decrypting traffic.
If you aren't decrypting traffic then teamviewer falls back to tcp/443 instead of its default port of tcp/5938 and the firewall will allow the traffic as it can't tell what it is.
You could attempt to do this in a controlled situation and reviewing the logs to see what exactly the firewall is identifying the traffic; that may help in understanding why your traffic isn't getting identified properly.
We do not use any form of SSL decryption on our PA, but we are still able to effectively block Teamviewer. Does the firewall perhaps do some kind of hostname/FQDN match in addition to block the traffic? I see in the traffic logs that Teamviewer first tries port tcp/5938, then tcp/443 then tcp/80, but all the sessions are blocked with app-id teamviewer-base.
The firewall is capable of still identifying certain applications through a number of different ways that aren't encrypted when you are using SSL. Under the majority of use cases the firewall is perfectly capable of identifying teamviewer traffic without decrypting the traffic.
FYI: On a rainy day dig into a technical_support file generated from your firewall and you might just maybe be able to find things you aren't really meant to see 😉
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!