Application Shift and How to allow linkedIn but block specific linkedin-posting application

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Application Shift and How to allow linkedIn but block specific linkedin-posting application

L2 Linker

When you want to allow the linkedin-base application with a specific Security Policy Rule, for example Linkedin-Rule, the Implicit applications it depends to are automatically allowed by the firewall, this means that the Security Policy Rule Linkedin-Rule that matches the linkedin-base application will automatically allow the web-browsing and SSL applications.

 

rmeddane_0-1708248019818.jpeg

 

 

Below the Security Policy Rule named Linkedin-Rule that allows only the linkedin-base application.

 

rmeddane_1-1708248019825.jpeg

 

 

The Traffic logs shown that the firewall allows the Implicit application web-browser using the same Security Policy Rule Linkedin-Rule.

 

rmeddane_2-1708248019832.jpeg

 

 

But when you allow the linkedin-base application in Security Policy Rule, the subsequent linkedin applications such as linkedin-mail, linkedin-downloading etc…are not allowed by this rule.

 

From the Traffic logs, we can see that the user platini cannot use the linkedin-downloading and linkedin-mail applications, both are denied by the default rule interzone-default.

 

rmeddane_3-1708248019840.jpeg

 

 

If you want to allow all linkedin applications included in the following list such as linkedin-downloading, linkedin-mail, linkedin-uploading, linkedin-learning etc... You need to use the parent application linkedin as shown below, or you can specifiy only some applications.

 

rmeddane_4-1708248019845.jpeg

 

 

In this example, the Security Policy Rule is ajusted to allow all linkedin applications using the parent application linkedin instead of linkedin-base.

 

Note : some applications needs to be explicitly allowed as shown by the DEPENDS ON field, the imap and smtp-base applications must be explicitly allow by checking and adding these application into this Rule. Imap and smtp-base applications must be added to this rule for linkedin-intro application.

 

rmeddane_5-1708248019847.png

 

 

Now the Security Policy Rule Linkedin-Rule is modified to use the parent application linkedin instead of linkedin-base application.

 

rmeddane_6-1708248019851.jpeg

 

 

Now the user platini can use the linkedin-downloading and linkedin-mail applications as shown below as well as linkedin-learning, linkedin-uploading, linkedin-intro etc…

The Security Policy Rule Linkedin-Rule can now allow all linkedin applications because the parent application linkedin is used as a match criteria instead of linkedin-base.

 

rmeddane_7-1708248019857.jpeg

 

 

Now what if we want to deny specific linkedin application such as linkedin-posting. In this case we need to add a specific Rule to match the linkedin-posting application with the Deny action above the Security Rule Linkedin-Rule as shown below.

 

rmeddane_8-1708248019861.jpeg

 

 

From the Traffic logs, we can see that the linkedin-posting application is blocked by the Security Policy Rule Linkedin-Posting-Rule for the same user platini.

 

Because the Application Shift feature on Palo Alto Firewall, the traffic of the user platini transitions from web-browser application to more specific application linkedin-posting.

 

In the Traffic logs, the entry in the blue color shown that the Security Rule Linkedin-Rule allows the web-browsing application, later the same user transitions to more specific application so it is passed through the list of security rules again to see if there is a match. In this scenario, the same user is transitioning to linkedin-posting application and the firewall checks again the Rules and finds a match with the Security Policy Rule Linkedin-Posting and applies the action Deny.

 

rmeddane_9-1708248019864.png

 

0 REPLIES 0
  • 468 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!