Want to block personal gmail and allow corporated gmail

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Want to block personal gmail and allow corporated gmail

L3 Networker

Hey guys one of my customer wants to block personal gmail (google mail) for eg : example@gmail.com

and want to allow the corporate Gmail eg : example@corporate.com 

what are the steps to configure this type of request please help us.

5 REPLIES 5

L0 Member

You need to TLS intercept the traffic, downgrade it from HTTP/2 and then insert a header. There are instructions at https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/http-header-insertion/http-header-i...

L5 Sessionator

Indeed, historically this is accomplished through HTTP header insertion described above. 

 

An alternative method would be the new SaaS Security Inline subscription, some of my customers opt for the latter as it's much easier to configure and manage. 

Help the community! Add tags and mark solutions please.

L3 Networker

@LAYER_8 and @DavidWalters2 

Guys thanks for the reply.

I not getting your solution please explain in details.

@BPry  Do you have any idea about this?

L5 Sessionator

@DavidWalters2 's answer covers it in detail. If you click the link you will see next to the header value:

 

 

You can allow access to specific Google accounts from your domain. The values that you give to this header are your domain and subdomains.
 
To successfully insert headers for Google applications, you must also:

 

  • Create an SSL decryption profile that includes the following categories and URLs:
  • business-and-economy
  • computer-and-internet-info
  • content-delivery-networks
  • internet-communications-and-telephony
  • low-risk
  • online-storage-and-backup
  • search-engine
  • web-based-email
  • drive.google.com
  • *.google.com
  • *.googleusercontent.com
  • *.gstatic.com

 

 

HTTP header insertion is not currently supported for HTTP/2. To insert headers, downgrade HTTP/2 connections to HTTP/1.1 using the Strip ALPN feature in the appropriate decryption profile. For more information, see App-ID and HTTP/2 Inspection.
 
Create rules to block the Quick UDP Internet Connections (QUIC) App-ID and place them at the top of your security policy because the firewall does not support header insertion for this protocol. When you do, the app reverts to using HTTP/2 over TLS, which the firewall handles in the previous step.
 
So you'll need an SSL decryption profile (guide here), you will enable the "Strip ALPN" feature in the profile you create. You will then create a decryption policy on the above categories, also a block QUIC policy. Lastly, you will follow these steps to add the google header value to the sessions. 
Help the community! Add tags and mark solutions please.

@LAYER_8 Thankyou for reply 

So I have to create a different URL filtering for that ?

I attached the images plz help me out my config is right or wrong.

What should i add into the value and domains?

Is the security policy is correct ?

And what should I enable in the decryption profile?Capture 1.PNGCapture 2.PNGCapture 3.PNG

 

  • 5425 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!