01-03-2024 01:47 PM
Hi All, happy new year.
Is there a way to block or forcing/redirect incoming traffic to an ip address. I would like to block outside attempts from trying to access the network using the ip address instead of the hostname/url.
Appreciate any suggestions and advice.
Cheers
Deena
01-03-2024 02:05 PM
Honestly the best way of accomplishing something like this would be to use a custom App-ID for things and only allow that app-id to your external resources. That way you can base the ID off of the http-req-host-header and ssl-req-client-hello and direct IP access would never match and be denied.
Alternatively if you're good at scripting you could build a custom report and pull it via the API for anything accessing your public IPs directly via URL logs assuming that you're logging that information. Then the script could block the addresses going directly to your IP addresses and not using FQDNs instead.
Just be mindful that some services are actually expected to be accessed via the IP address. HIP reports are a prime example of this on GlobalProtect, SMTP traffic as well if you have email on-prem. It's not inherently unexpected for everything to just utilize FQDN instead of the IP address itself, but certainly would be unexpected from web servers and the like.
01-09-2024 02:21 PM
Thanks for the suggestion. I'll will look into getting App-ID implemented. Does that require, the PA to decrypt the incoming traffic from the outside zone?
01-09-2024 02:36 PM
It's best if you decrypt traffic, but it isn't a requirement. If you're just building a simple app-id signature, doing a pattern-match on the ssl-req-client-hello and matching on the pattern of the hex of the field will work perfectly fine. So as an example if I was building a match for "example.com" the pattern for ssl-req-client-hello would look like what is listed below.
<entry name="SSL-Example-Site">
<default>
<port>
<member>tcp/80</member>
<member>tcp/443</member>
</port>
</default>
<signature>
<entry name="Host Match">
<and-condition>
<entry name="And Condition 1">
<or-condition>
<entry name="Or Condition 1">
<operator>
<pattern-match>
<pattern>\x 6578616d706c652e636f6d \x</pattern>
<context>ssl-req-client-hello</context>
</pattern-match>
</operator>
</entry>
</or-condition>
</entry>
</and-condition>
<scope>protocol-data-unit</scope>
<order-free>no</order-free>
</entry>
</signature>
<subcategory>internet-utility</subcategory>
<category>general-internet</category>
<technology>browser-based</technology>
<risk>1</risk>
</entry>Then you can also have a signature to match the http-req-host-header field for non SSL traffic as well, like below:
<entry name="Example-Site">
<default>
<port>
<member>tcp/443</member>
<member>tcp/80</member>
</port>
</default>
<signature>
<entry name="Host Match">
<and-condition>
<entry name="And Condition 1">
<or-condition>
<entry name="Or Condition 1">
<operator>
<pattern-match>
<pattern>example\.com</pattern>
<context>http-req-host-header</context>
</pattern-match>
</operator>
</entry>
</or-condition>
</entry>
</and-condition>
<scope>protocol-data-unit</scope>
<order-free>no</order-free>
</entry>
</signature>
<subcategory>internet-utility</subcategory>
<category>general-internet</category>
<technology>browser-based</technology>
<risk>1</risk>
</entry>
You can use a site like THIS to get the hex easily. In the example below the only tool options that I leave enabled is the 'Add Zero to Short Values', both 'Separate Hex Values' and 'Add Hex Base Indicator' I personally leave off to avoid character limits and it will still work perfectly fine.
You could also collapse the signatures together within a single entry if you wanted instead of separating them out to "Example-Site" and "SSL-Example-Site" like I did. I personally like having both because it creates a delimitation, but that's absolutely not required.
01-10-2024 08:23 AM
As @BPry mentioned you can use APP id and match allowed hostname. You can also do threat signature that matches on web or ssl traffic and when hostname or SNI is just present and use the Negate rule match to exclude for example " example\.com" as to not block the valid domain
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
