URL Filtering doesn't work with Google-base/quic/google-docs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

URL Filtering doesn't work with Google-base/quic/google-docs

L4 Transporter

Hi Everybody

 

I have a customer who whant to block this page "goo.gl/forms/NeclIZETrjUiyFBT2" (seems to be used as malware). We include it in "block list" in the Url Filtering Security Profile but it doesn't block it. 

 

In monitor tab, the session doesn't appear in Url Filtering, it appears in Traffic, the paloAlto detects the flow as application "quic" or "google-base" o "google-docs" not as "web-browsing"

 

Is it possible to block this page or application BUT only for certains pages?

 

best regards

1 accepted solution

Accepted Solutions

@SOC_CSG,

That's why you are running into the issue. You can only get the cert information on encrypted traffic so you can block domains pretty easily but trying to block traffic destined for such a specific URL isn't going to work. Either you fully decrypt this traffic and disable quic or you won't be able to block that specific form with URL filtering. 

View solution in original post

7 REPLIES 7

L7 Applicator
In order to do url filtering you need to block application quic or allow web acces only on 80 and 443/tcp.
Quic is a relatively new udp based TLS protocol and so far it is not possible to do tls decryption on this udp based connections. So paloalto is only able to see this application, but thats all.

Hi

 

What apps are checked by URL Filtering? Those which are classified as GeneralInternert->InternetUtility->Browser Based?

Is it possible to edit URL_Filtering to add more apps to be checked? 

 

I also tried to create a new app based on web-browsing and create a AppOverride profile but this app is not check by the UrlFiltering.

 

Best regards

 

Web browsing is checked against URL filtering.

If it is HTTPS traffic then HTTP GET goes inside encrypted payload so Palo can get URL only from certificate.

To get and block full URL you need to decrypt traffic.

Chrome supports quic that can't be decrypted and must be blocked in firewall to force Chrome to fall back to regular SSL that can be decrypted.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi

 

Blocking "quic" force PaloAlto to use SSL to navigate to the page and applies the URL Filtering. But I'm having now problems to block the URL

 

The URL is "goo.gl/forms/NeclIZETrjUiyFBT2" if I put it in blocklist it doesn't works. It only block it  if put the only "goo.gl"

 

is it possible to block an specific web-page instead than a whole domain?

 

best regards

@SOC_CSG,

I take it you are not decrypting traffic? 

Hi

 

i'm not using any decryption profile.

 

best regards

@SOC_CSG,

That's why you are running into the issue. You can only get the cert information on encrypted traffic so you can block domains pretty easily but trying to block traffic destined for such a specific URL isn't going to work. Either you fully decrypt this traffic and disable quic or you won't be able to block that specific form with URL filtering. 

  • 1 accepted solution
  • 9054 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!