About ovel

Thank you Jdelio, this is exactly how I configured it, and it works till you go to that hamster show channel after which none of blocks are working and you can surf freely over youtube 🙂 I have no idea why. quic and udp443 are blocked, so it's definitely not going over these protocols.   Is there any way to grab unencrypted packet capture between firefox and the internet? I tried to do packet capture on Palo, but it's all in TLS, so pretty much useless. ... View more

There are actually 2 ways: - update python code and then minemeld settings to reduce the number of mining attempts so that it will reduce the number of queries to youtube API. - create multiple youtube accounts and use different API keys.   I did the latter. Effectively, youtube resets the counters every 24-hour cycle. The only thing you might miss is if someone during theis remaining 24-hours cycle has uploaded a new video into the channel you subscribed. These videos will be invisible till the next day. ... View more

It would be awesome to harden Android GlobalProtect when it's in Always-On mode. Despite that the admin can disable sign out, GP can be simply killed by the Android OS, or a user can simply remove the app from the phone, or kill the VPN in the settings. Yes, you can try to configure it on MDM, but it means a different ifrastructure, and, in most cases MDM will not help for BYOD devices. Look how it's been done on Checkpoint Sandblast, or google maps or any other navigation system. It can't be killed by the os at any time or by another app. Or look how kaspersky implemented their antivirus solution. no way to get it removed without knowing the password. So why GP is so weak then ? Another awesome feature would be if GP could detect from which android app the traffic is being sourced. For example if you watch youtube and use google play store, you can't differentiate the traffic, because in both cases they're using QUIC. You can't decrypt quic, disabling quic means you will make google play not working, so how can we, for example, enable google play, but disable watching youtube videos using youtube app. Or their google maps are also using quic. ... View more

I've been working on a project where i had to put some restrictions on the network for BYOD and managed kids' devices. Palo works perfectly when it comes to enable SSL Dec on PCs, but then nightmare begins with smartphone/tablets.   Effectively, the aim was to implement for kids' user group youtube content filtering (minemeld), + safesearch and allow as much BYOD devices as we could. I concentrated on android devices first because it was easy to import the root CA cert into them, however, there are a LOT of native apps that use embedded certificate pinning. Most of native google apps are using quic protocol (and udp/443) instead of SSL, and unlike Chrome browser they don't fall back to SSL if quic is denied, they simply stop working. Google Play Store is one of them. If you don't allow quic protocol, it won't work.   The most annoying thing that every device has sort of a built-in small http/https browser that is coming up when WiFi is on, and the first thing it does, it checks the accessibility of www.google.com. The worst part is that this built-in browser doesn't look into the inported user Root CAs certs, and if you have SSL Dec on www.google.com, it won't be able to get the response and you will get this small cross icon on your wifi picture on the phone saying that "the internet may not be available". The internet will work actually on the device, but it appears that many apps tend to detect the internet state using some Android API, if you have this cross on, your google play won't work, some email apps won't even attempt to download email and other irritating stuff. I had to implement a special gstatic url category with a long list of urls, where various devices are trying to go, and disable SSL decryption for these URLs. Unfortunately, so far i couldn't find a way how can I enable SSL dec for www.google.com   Another pain in the arse is Android GlobalProtect VPN client that has to force all packets going over VPN even on 4G connections. Yes, you can configure it in always-on mode and deny signing out, but... the app simply can be uninstalled by a phone user. Or just stopped, or killed, or kids can run angry birds on their Samsung S5 and GlobalProtect silently dies. This is annoying and completely diminish the always-on idea. Yes, Palo recommends to use MDM, but if you have 10-15 devices, deploying MDM is jsut another instance that you will have to look after. Eventually, I deployed a free MDM server, but it's happened that GlobalProtect is not killable/dying only when you make a device as a device owner, so it's not so suitable for BYOD devices. On BYOD devices MDM is supposed to create a work profile... a good idea, but only if devices have android 7 or higher. The mentioned Samsung S5 will not have any work profile and you can't lock out the always-on VPN. Another Android 9 based phone from ZTE simply will not create the work profile. Maybe a firmware bug, who knows, but you can't accept such device then. So, i'd say the attempt to lock down the GlobalProtect app and it's vpn on BYOD devices is not successful.The only way to make it working is to enrol the device as device owner and that means full factory reset of the device before enrollment.   Palo should consider how they can harden the app install, maybe make it into the admin mode andprevent it from killing. It should not rely on third party MDM solutions.   The only way I eventually found how to make the final solution acceptable is to run all this in conjunction with Kaspersky Safe Kids. Unlike GlobalProtect app, it's just not possible to kill/uninstall Kaspersky. It's running all the time, it can block certain app, it can filter what is requested in browsers, and you can even set up how much time each app can be running for. ... View more

Hi Eronko,   The certificate is not so important at this stage, i also have a self signed one, but it's better if your GP client would install the firewall Root CA into the host PCs if you plan to use SSL Decryption. You don't need to enable user-id on the outside zone. The outside zone is not supposed to identify users, it's the gateway's role on that side. What is important though is that your internal users have to be able to reach your external gateway IP from inside. In my understanding when GP client is trying to authenticate the user, it goes to the external gateway, authenticate it over there as per your auth profile, and only AFTER that it checks whether the user is internal or not. ... View more

dind't help. I have a lenovo tablet and it shows no network till I remove www.google.com from the decryption list. ... View more

don't know, it might sound silly, but if IE has managed to negotiate with the site and is able to show its content, why PA can't do the same and use a compatible protocol to show the site content? ... View more

I have firefox 71.0 and have the same issue. The error just appears differently. The only browser is working correctly is an old IE in Win7.   From the firefox:   Your connection is not secure The website tried to negotiate an inadequate level of security. www.di.fm uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site. Error code: NS_ERROR_NET_INADEQUATE_SECURITY ... View more

I have the same issue on 9.1.0 VM-50 ... View more

So I believe you're looking for how to authenticate logged in users whether they're outside or inside. I've spent 2 ways on how to do it, the documentation is not describing it clearly. You need to have 2 gateways for this, one external, and one internal one. The internal gateway can be your firewall interface inside IP address, the main trick is here: this IP must be resolvable into your internal hostname you specified in the portal config in both ways: in the direct internal DNS resolution, and also reversed DNS resolution.   In my example I have the inside L3 interface with the IP 192.168.1.1. In my internal DNS there is an A record pa-int.ovel.ru pointing to this IP, and ALSO there is reversed zone arpa.1.168.192 that resolves .1 into pa-int.ovel.ru.   The gateway config is here: Authentrication   And then the portal config is here:   Internal Gateway:   And after that your GlobalProtect should be able to get your user authenticated straight away.     And yes, it's very important: All this is working in "Always-On" mode only!!! At least in my case. Hope this helps.     ... View more

This "some stuff to bypass" finally appears as "bypass everything" on mobile platforms. If you don't, you can't get even google play working. And I still don't know what to bypass to make google maps app working. Not in the browser, but in the app itself. ... View more

This approach doesn't look feasible when you have one WLAN for mobile and laptops. How are you going to differentiate who is who ? Win/Mac based laptops are sitting in the same wireless network as android/apple smartphones. To be honest, while SSL decryption on PCs is working reasonably fine, Palo has huge problems with mobile devices, e.g. android/apple smartphones. Most of apps simply don't work with SSL Dec enabled and it's a pain to find out what to unblock for a particular app, and it's not reliable at all. Google is rapidly moving on implementing QUIC everywhere, and if I block QUIC app, google play app simply stops working.I will post separately a lot of issues I'm currently stuck in when I enabled SSL Dec for mobile devices. I see 2 feasible ways to fix this: 1. Palo will allow fallback to normal unencrypted ssl mode if it can see "decrypt-error" in logs. 2. Palo will implement informing the firewall using GlobalProtect App about the platform is being used, but there are 2 issues:  - GlobalProtect now can be simply switched off by the Android OS or by a user even it's in Always-on mode. I have a number of phones that have GP just not working. Palo sould look into a better protection from interaction between users and GP. Look, for example, how Kaspersky Safe Kids app is implemented. You simply can't switch it off. It's always running and there is no way to kill it without proper authorization. - we will still have problems with users who don't have GP and getting authorized using Captive Portals.   So, don't know what to say. While PAN FW is awesome for PCs, it's really weak in the world of mobile apps. Even Checkpoint SandBlast works more reliable than GP.     ... View more

Hi Everyone,   I have fixed #1 from my previous question. I'm not good with github and don't have clear understanding of how it works, so I cloned the original repository in my own, updated the source python code a little bit and fed it to Minemeld. So the videos are being played successfully on both PC and mobile browsers (not youtube app tho). If you want, here is the souce to my repository on github: https://github.com/ovel1/youtube-miner   Re filtreing  the native youtube app, so far the only way I found is integrating the childrens' mobile devices into Kaspersky Safe Kids environment and simply switching the app off. So that allows the kids to play only selected videos in browsers.   ... View more

Hi xhomos,   First of all, thank you very much for this way of whitelisting youtube videos. It appears this is the only feasible way so far. I'm trying to implement some whitelists for children and while it works ok on a PC, there are problems with mobile devices:   1. In a mobile browser all videos appear to be starting from m.youtube.com, not www. So the dynamic list never matches. How can we get something like *.youtube.com instead of www? 2. While it seems to be working in browsers in PC mode on  mobile devices we know that there is a special youtube app that people use. When I use ssl decryption, this app simply doesn't show anything. When I switch off the ssl decryption, the videos are not getting filtered. So the only working, and quite ugly way is to block the app from running and enforce watching videos in the browsers only. Is there any way to get the app and filtering working properly?    ... View more