03-04-2017 11:09 PM
03-05-2017 08:06 AM
There are couple of ways to do this,
1. go to https://applipedia.paloaltonetworks.com/ and search for the applications that you know that you want to block.
2. setup a test machine, and create security rule with test machine as source and place it on the very top of the rule set to allow outbound and have a deny all outbound rule for the test machine after the allow outbound. Enable logging and review the traffic log after each application that you are interested to block (make sure you close application or end the streaming first), you should see the specific app-id identify by the traffic log. Create another deny rule and place it above the allow rule to deny those specific app-id. Repeat until you get them all.
Since you did not specific which video streaming services/application, that could be tricky because some services could show up as http-video or SSL (encrypted), you will need test and be a detective for a while. If you want to block those video streaming using SSL, you will need to enable SSH decrpytion, that you may want to search on the technote how to and get URL license as well. Since you may not want to decrypte SSL sessions going to health care, banking site, etc..
03-05-2017 02:28 PM
For the most part, App-ID should be sufficient even without SSL decryption since the built-in app definitions use multiple vectors to detect what's being accessed. The easiest approach is just to attempt to do what you wish to block and verify the app is properly detected in the traffic log and then add those apps to a blacklist policy.
if that's not enough, you can also block by domain, keeping in mind that many apps source from multiple domains.
but I do agree that SSL decryption would be a difficult jump to make without a URL license as banking and healthcare are at least two of the categories you likely don't want to mess with, and there may be even more to worry about in Europe.
03-06-2017 12:43 AM
We want to block youtube streaming.
03-06-2017 12:50 AM
We want to block youtube streaming via Palo Alto. We create the Custom URL Category "testing" and enter the site "*.youtube.com" (with quotation). We select the testing category in Decrpytion profile and Action "Decrpyt" and Type SSL Forwarding. We create the security policy src:any, destination:any and deny youtube-base. But still we can we view streaming on chrome and firefox.
03-06-2017 02:18 AM
have you tried application filter to block video apps ?
03-09-2017 07:20 AM
03-09-2017 07:31 AM - edited 03-09-2017 07:31 AM
as I mentioned earlier, while it may sound counterintuitive, Palo Alto AppID is able to identify some apps even when SSL is not decrypted. Obviously it can't inspect traffic, but it can use other environmental aspects to help categorize traffic. PA won't disclose all the attributes AppID uses, but obviously if someone is going to youtube.com, they're likely using the youtube-base app.
You can witness this yourself in the PA traffic logs.
03-10-2017 01:38 AM
for any encrypted traffic that's not getting decrypted, (and also as primary means of categorizing before encryption can take place) AppID will use the SNI (Server Name Indication) which is included in the ssl handshake to identify the application
so as long as your browser support SNI, you should be getting fairly accurate AppID
in case the browser does not support SNI, AppID will try to identify the app based on the certificate CN, but this may not be as accurate as youtube uses *.google.com (hence AppID would be google-base)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!