URL Filtering doesn't work with Google-base/quic/google-docs

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

URL Filtering doesn't work with Google-base/quic/google-docs

Hi Everybody

 

I have a customer who whant to block this page "goo.gl/forms/NeclIZETrjUiyFBT2" (seems to be used as malware). We include it in "block list" in the Url Filtering Security Profile but it doesn't block it. 

 

In monitor tab, the session doesn't appear in Url Filtering, it appears in Traffic, the paloAlto detects the flow as application "quic" or "google-base" o "google-docs" not as "web-browsing"

 

Is it possible to block this page or application BUT only for certains pages?

 

best regards


Accepted Solutions
Highlighted
Cyber Elite

@SOC_CSG,

That's why you are running into the issue. You can only get the cert information on encrypted traffic so you can block domains pretty easily but trying to block traffic destined for such a specific URL isn't going to work. Either you fully decrypt this traffic and disable quic or you won't be able to block that specific form with URL filtering. 

View solution in original post


All Replies
Highlighted
Cyber Elite

In order to do url filtering you need to block application quic or allow web acces only on 80 and 443/tcp.
Quic is a relatively new udp based TLS protocol and so far it is not possible to do tls decryption on this udp based connections. So paloalto is only able to see this application, but thats all.
Highlighted
L4 Transporter

Hi

 

What apps are checked by URL Filtering? Those which are classified as GeneralInternert->InternetUtility->Browser Based?

Is it possible to edit URL_Filtering to add more apps to be checked? 

 

I also tried to create a new app based on web-browsing and create a AppOverride profile but this app is not check by the UrlFiltering.

 

Best regards

 

Highlighted
L7 Applicator

Web browsing is checked against URL filtering.

If it is HTTPS traffic then HTTP GET goes inside encrypted payload so Palo can get URL only from certificate.

To get and block full URL you need to decrypt traffic.

Chrome supports quic that can't be decrypted and must be blocked in firewall to force Chrome to fall back to regular SSL that can be decrypted.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
L4 Transporter

Hi

 

Blocking "quic" force PaloAlto to use SSL to navigate to the page and applies the URL Filtering. But I'm having now problems to block the URL

 

The URL is "goo.gl/forms/NeclIZETrjUiyFBT2" if I put it in blocklist it doesn't works. It only block it  if put the only "goo.gl"

 

is it possible to block an specific web-page instead than a whole domain?

 

best regards

Highlighted
Cyber Elite

@SOC_CSG,

I take it you are not decrypting traffic? 

Highlighted
L4 Transporter

Hi

 

i'm not using any decryption profile.

 

best regards

Highlighted
Cyber Elite

@SOC_CSG,

That's why you are running into the issue. You can only get the cert information on encrypted traffic so you can block domains pretty easily but trying to block traffic destined for such a specific URL isn't going to work. Either you fully decrypt this traffic and disable quic or you won't be able to block that specific form with URL filtering. 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!