Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-31-2017 08:24 AM
Hi Everybody
I have a customer who whant to block this page "goo.gl/forms/NeclIZETrjUiyFBT2" (seems to be used as malware). We include it in "block list" in the Url Filtering Security Profile but it doesn't block it.
In monitor tab, the session doesn't appear in Url Filtering, it appears in Traffic, the paloAlto detects the flow as application "quic" or "google-base" o "google-docs" not as "web-browsing"
Is it possible to block this page or application BUT only for certains pages?
best regards
09-08-2017 07:53 AM
That's why you are running into the issue. You can only get the cert information on encrypted traffic so you can block domains pretty easily but trying to block traffic destined for such a specific URL isn't going to work. Either you fully decrypt this traffic and disable quic or you won't be able to block that specific form with URL filtering.
08-31-2017 08:48 AM
09-01-2017 02:46 AM
Hi
What apps are checked by URL Filtering? Those which are classified as GeneralInternert->InternetUtility->Browser Based?
Is it possible to edit URL_Filtering to add more apps to be checked?
I also tried to create a new app based on web-browsing and create a AppOverride profile but this app is not check by the UrlFiltering.
Best regards
09-01-2017 06:51 AM
Web browsing is checked against URL filtering.
If it is HTTPS traffic then HTTP GET goes inside encrypted payload so Palo can get URL only from certificate.
To get and block full URL you need to decrypt traffic.
Chrome supports quic that can't be decrypted and must be blocked in firewall to force Chrome to fall back to regular SSL that can be decrypted.
09-04-2017 04:41 AM
Hi
Blocking "quic" force PaloAlto to use SSL to navigate to the page and applies the URL Filtering. But I'm having now problems to block the URL
The URL is "goo.gl/forms/NeclIZETrjUiyFBT2" if I put it in blocklist it doesn't works. It only block it if put the only "goo.gl"
is it possible to block an specific web-page instead than a whole domain?
best regards
09-04-2017 04:21 PM
I take it you are not decrypting traffic?
09-05-2017 12:57 AM
Hi
i'm not using any decryption profile.
best regards
09-08-2017 07:53 AM
That's why you are running into the issue. You can only get the cert information on encrypted traffic so you can block domains pretty easily but trying to block traffic destined for such a specific URL isn't going to work. Either you fully decrypt this traffic and disable quic or you won't be able to block that specific form with URL filtering.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
