04-06-2021 07:48 AM
I wanted to make a post to the community to see what other people are doing about this issue. We currently have a support case open with Palo for this and has been open for quite some time. Long story short, users that have previously logged into a Yahoo account and have a session cookie are able to somehow circumvent security policy and the app sometimes is parsed as App-ID "SSL" instead of "yahoo-mail-base."
We are able to recreate this behavior 100% of the time. The only way we were able to block Yahoo Mail was by selectively decrypting this traffic and blocking the following URL's:
mail.yahoo.com
login.yahoo.com
*.mail.yahoo.com
*.login.yahoo.com
Even with the decryption applied, the sessions are still sometimes getting misparsed and users are still able to access Yahoo Mail. Again, this is directly related to if the user has logged into a Yahoo account before or not; if the person has never previously logged into a Yahoo account, the access is blocked completely.
Now since "login.yahoo.com" is on this URL category we created, users are unable to login to Yahoo for other areas (such as Yahoo Finance).
Just seeing if the community has tackled this issue before why we keep trying through traditional support channels.
04-07-2021 03:11 AM - edited 04-07-2021 03:23 AM
I have not seen such issue before. So the because the SSL decrypton does not work always the the App-ID does not match correctly the yahoo app-id (Because of this App-ID "SSL" instead of "yahoo-mail-base." maybe the SSL decryption is not happening)?
Have you focused on why the SSL decryption does not work every time:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloUCAS
Also maybe when the users have accessed the yahoo and when they access it a second time a "secure renegotiation" is triggered and not a full handshake and maybe this causes the firewall not to be able to decrypt the traffic
https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-renegotiation/td-p/27979
If SSL decryption is the issue test using a Decryption profile to try to stop this:
If the ssl decryption is ok but the issue is with the app-id wrongly watching then better wait for the TAC to fix their APP-ID.
04-08-2021 02:38 PM
Hello,
I would recommend setting the URL category Web-based Email to block. This way you dont need to mess with custom block url's etc.
Also as mentioned SSL decryption should be enabled, however a lot of URL traffic can be blocked like this since its in the plain text part of the packet.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
