This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Want to block personal gmail and allow corporated gmail

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience.

Want to block personal gmail and allow corporated gmail

FarhanKoujalgi
L3 Networker

‎10-12-2021 04:31 AM

Hey guys one of my customer wants to block personal gmail (google mail) for eg : example@gmail.com

and want to allow the corporate Gmail eg : example@corporate.com 

what are the steps to configure this type of request please help us.

0 Likes Likes
5 REPLIES 5

DavidWalters2
L0 Member

‎10-12-2021 07:59 AM

You need to TLS intercept the traffic, downgrade it from HTTP/2 and then insert a header. There are instructions at https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/http-header-insertion/http-header-i...

(1)

LAYER_8
L5 Sessionator

‎10-12-2021 01:20 PM

Indeed, historically this is accomplished through HTTP header insertion described above. 

 

An alternative method would be the new SaaS Security Inline subscription, some of my customers opt for the latter as it's much easier to configure and manage. 

Help the community! Add tags and mark solutions please.
(1)

FarhanKoujalgi
L3 Networker

‎10-12-2021 11:29 PM - edited ‎10-12-2021 11:31 PM

@LAYER_8 and @DavidWalters2 

Guys thanks for the reply.

I not getting your solution please explain in details.

@BPry  Do you have any idea about this?

0 Likes Likes

LAYER_8
L5 Sessionator

‎10-13-2021 09:37 AM

@DavidWalters2 's answer covers it in detail. If you click the link you will see next to the header value:

 

 

You can allow access to specific Google accounts from your domain. The values that you give to this header are your domain and subdomains.
 
To successfully insert headers for Google applications, you must also:

 

  • Create an SSL decryption profile that includes the following categories and URLs:
  • business-and-economy
  • computer-and-internet-info
  • content-delivery-networks
  • internet-communications-and-telephony
  • low-risk
  • online-storage-and-backup
  • search-engine
  • web-based-email
  • drive.google.com
  • *.google.com
  • *.googleusercontent.com
  • *.gstatic.com

 

 

HTTP header insertion is not currently supported for HTTP/2. To insert headers, downgrade HTTP/2 connections to HTTP/1.1 using the Strip ALPN feature in the appropriate decryption profile. For more information, see App-ID and HTTP/2 Inspection.
 
Create rules to block the Quick UDP Internet Connections (QUIC) App-ID and place them at the top of your security policy because the firewall does not support header insertion for this protocol. When you do, the app reverts to using HTTP/2 over TLS, which the firewall handles in the previous step.
 
So you'll need an SSL decryption profile (guide here), you will enable the "Strip ALPN" feature in the profile you create. You will then create a decryption policy on the above categories, also a block QUIC policy. Lastly, you will follow these steps to add the google header value to the sessions. 
Help the community! Add tags and mark solutions please.
0 Likes Likes

FarhanKoujalgi
L3 Networker
In response to LAYER_8

‎10-13-2021 10:12 AM

@LAYER_8 Thankyou for reply 

So I have to create a different URL filtering for that ?

I attached the images plz help me out my config is right or wrong.

What should i add into the value and domains?

Is the security policy is correct ?

And what should I enable in the decryption profile?Capture 1.PNGCapture 2.PNGCapture 3.PNG

 

0 Likes Likes
  • 7491 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks