07-14-2021 03:14 PM - edited 07-14-2021 03:20 PM
While Palo Alto Networks has documented the use of HTTP Header insertion to control access to certain SaaS applications, there are many more which are not yet documented (as of July 2021). Slack in particular came up for me during testing so I wanted to share what I have found.
First of all, slack maintains documentation for allowing / denying the use of slack workspaces while on a network. A PANW firewall of any form factor (physical, virtual, Prisma Access) can use these documented HTTP headers to prevent someone from logging into non-allowed Slack workspaces. This is a binary decision.
Thankfully, slack also leverages URLs in order to do logins, uploads, downloads, etc. This means one can also use policies scoped based on URL to specifically allow certain actions / apps / files to desired workspaces based on URL, and more granularly block file uploads (for example) to other workspaces. I tested this primarily by creating a 2 tiered policy to block all file uploads to a specific slack workspace based on its associated URLs (placed into a URL filtering group) and allow slack uploads to all other workspaces. For a more secure deployment these could easily be flipped. This is a huge win for DLP use cases as one can prevent files from being shared via a 'sanctioned app,' but to a different tenant.
for reference: the url for a tenant you want to allow or blocklist is usually of the format https://my-workspace-name.slack.com/
In my testing locking a specific tenant URL blocked all my messages and files from going out, but I was still able to see existing messages others had posted to that workspace. However if I wasn't already logged in from my desktop client then logging into a blocked workspace seemed to be stopped as well as usually this involved your browser taking you to the URL for login.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!