This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Whatsapp File transfer Block

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Whatsapp File transfer Block

Thomasevig
L1 Bithead

‎08-15-2022 12:21 AM

i work as a security specialist engineer at a moderate
enterprise.
recently my superiors have asked me to block whatsapp file transfer only(meaning chat would still work).
however i've tried anything using our Fw's but to no avail.

from what i have read on some forums and various sources, i need to url block
mmi.whatsapp
mms and mmv..
i tried doing that yet it didn't seem to help.
i can still upload/download files from both
whatsapp web and the desktop application.

is it possible to
get support from you on this matter please?
is blocking ft even achievable?

thank you so much,

best regards,

Thomas.

11 REPLIES 11

MichaelWrigh
L2 Linker

‎08-15-2022 07:00 AM

Hi Thomas,

You would need to be blocking the Whatsapp file-sharing application, are you able to see this application on your firewall? To be able to you will need to be decrypting the Whatsapp traffic.

ahandoo
L2 Linker

‎08-16-2022 02:40 AM

Hi Thomas,

On the firewall, the application description says,
WhatsApp has integrated the TextSecure encryption protocol, which enforces certificate pinning to its most recent update. Due to this we can longer decrypt this application, and it will be added to the SSL exclude list. Policies enforcing "whatsapp-base" will continue to function normally, but policies using "whatsapp-file-transfer" can no longer be enforced.

 

ahandoo_0-1660639495559.png

 

Unfortunately firewall cannot see what is sent by the client in an encrypted packet (chat/upload, etc). Furthermore, the application does not like to get decrypted as it uses end-to-end encryption. This means that even if we do SSL inspection we won’t be able to see the content of a message. 

Although you can block the URLs to which the traffic is traversing provided we have the SNI information, however from my personal experience, these URLs keeps changing from time to time.

 

 

Regards

 

Thomasevig
L1 Bithead
In response to MichaelWrigh

‎08-16-2022 03:30 AM

Hi Michael, 

thanks for your reply.

 

unfortunately, 

i have already tried blocking both whatsapp file sharing and

whatsapp-base applications on the 

fw yet that didn't seem to do anything.

 

 

0 Likes Likes

Thomasevig
L1 Bithead
In response to ahandoo

‎08-16-2022 03:31 AM

Hi Ahandoo, 

 

thank you. 

i actually tried to block these applications, yet 

to no avail. 

 

also, can you please elaborate on the SNI Information?

what exactly is it? and how do i obtain it? 

 

thank you . 

0 Likes Likes

ahandoo
L2 Linker
In response to Thomasevig

‎08-16-2022 04:50 AM - edited ‎08-17-2022 11:55 PM

Hi Thomas,

SNI is the Server Name Identification field present in the Client Hello of SSL/TLS Handshake. It allows the client to indicate the hostname which it is trying to connect. For more information , you can refer to this link.

You will have to take network trace or packet capture to know this information.
We can find multiple videos on youtube on how to find the SNI from a packet capture. You can check this video.

Regards,

0 Likes Likes

Thomasevig
L1 Bithead

‎08-21-2022 04:04 AM

Hello, 

i still haven't managed to sort this issue out, 

we're considering using a different solution

as it appears to be un-solvable by the looks 

of it.

 

thank you all for your contribution.

0 Likes Likes

ahandoo
L2 Linker
In response to Thomasevig

‎08-23-2022 12:29 PM

Hi @Thomasevig 

 

There is a lot of work associated with blocking/allowing URLs, not only for this but for a wide variety of scenarios. It can be tricky sometimes.
My lab experience using the URL Filtering profiles allowed me to block Whatsapp upload of images & videos while allowing the messages to be sent. I am sharing it if it can help.

Created a URL Category including 
mmg.whatsapp.net/
*.cdn.whatsapp.net

ahandoo_0-1661282359329.png

Created a URL filtering profile and set the above created URL category to block.

Added the URL filtering profile to the rule which matches the Whatsapp traffic.

 

 

Note: In order to get the list of the URLs to block, I took a packet capture on the host which was running the Whatsapp application or the Whatsapp web.

 

Regards,

Arnesh

0 Likes Likes

Leonid.Rozgon
L1 Bithead

‎11-02-2022 09:31 AM

We are seeing the same behavior with our policy.

It looks like at the moment Palo-Alto is unable to provide solution to block whatsapp file transfers.

The method suggested above using URL categories also doesn't seem to work.

If anyone have some other solution for this problem it would be very helpful.

0 Likes Likes

Thomasevig
L1 Bithead

‎11-29-2022 01:23 AM

hello, 

 

is there any other workaround we can implement? 

has anyone tried anything 

0 Likes Likes

KarienVerster
L0 Member

‎12-08-2022 05:48 AM - edited ‎12-08-2022 06:48 AM

I know this thread seems to be a few months old, but I wanted to add that I had to do this exact thing this morning on one of our FWs and it worked fine.  

Whats-app chat and calls are still allowed.

however, file transferring (even voice notes) is not.  

The rule I used looks like:

KarienVerster_0-1670506794649.png

Basically, everything WhatsApp needs to work is allowed in this rule, except the 'whatsapp-file-transfer' application

 

Our catch-all-block-rule at the end of our security policies will catch the file transfers, which is not explicitly allowed anywhere, and block them. 

We don't have any special decryption configured either. Palo Alto correctly classifies all this traffic so we could create this rule without issue.

 

We are using a PA460, on Firmware 10.2.3 if this helps.  

 

@Thomasevig perhaps check your monitoring on the FW, while doing a file transfer on WhatsApp to see if your traffic is correctly classified.  If yes, then this rule should work for you.  

 

tbh - I was trying to get only uploads on WhatsApp blocked, with downloads still working.  But I was unable to get this working.  It is either a block all file transfer or nothing it seems.

(1)

nikoolayy1
L6 Presenter
In response to KarienVerster

‎02-01-2023 02:40 AM

You can test if enabling SSL decryption just for the destination FQDN/IP addresses of  WhatsApp out of working hours if it starts working.

 

Also there is an application debug that have described in the discussion below, so if you want to play again outside working hours you can try "Other use case that I know is to see the application shift if there is an issue how the Palo Alto changes the matched application by enabling the "appid" debug. "

 

https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-r...

 

0 Likes Likes
  • 8632 Views
  • 11 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks