- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-20-2010 07:02 AM
Hello (we need support 🙂 ),
we want to filter on our PA 500 all http traffic outbound on User-Agent type.
As explanation: We want to know (and later block) all users which are using MSIE 7.0 (for example) for outgoing browsing.
Following ideas from our side but actually no success on the implementation.
1) Using DataFiltering on a global outbound web-browsing policy
Using a Data Pattern with .*(compatible; MSIE)
This obviously does not work.
2) Using a self created Application
with same pattern
This obviously does not work.
<response status="success" code="19">
<result total-count="1" count="1">
<entry name="sh_browser_type">
<category admin="zieglerj" time="2010/01/20 15:38:15">media</category>
<subcategory admin="zieglerj" time="2010/01/20 15:38:15">photo-video</subcategory>
<technology admin="zieglerj" time="2010/01/20 15:38:15">browser-based</technology>
<risk admin="zieglerj" time="2010/01/20 15:38:15">5</risk>
<consume-big-bandwidth admin="zieglerj" time="2010/01/20 15:38:15">no</consume-big-bandwidth>
<able-to-transfer-file admin="zieglerj" time="2010/01/20 15:38:15">no</able-to-transfer-file>
<used-by-malware admin="zieglerj" time="2010/01/20 15:38:15">no</used-by-malware>
<evasive-behavior admin="zieglerj" time="2010/01/20 15:38:15">no</evasive-behavior>
<has-known-vulnerability admin="zieglerj" time="2010/01/20 15:38:15">no</has-known-vulnerability>
<pervasive-use admin="zieglerj" time="2010/01/20 15:38:15">no</pervasive-use>
<prone-to-misuse admin="zieglerj" time="2010/01/20 15:38:15">no</prone-to-misuse>
<tunnel-applications admin="zieglerj" time="2010/01/20 15:38:15">no</tunnel-applications>
<tunnel-other-application admin="zieglerj" time="2010/01/20 15:38:15">no</tunnel-other-application>
<data-ident admin="zieglerj" time="2010/01/20 15:38:15">no</data-ident>
<virus-ident admin="zieglerj" time="2010/01/20 15:38:15">no</virus-ident>
<file-type-ident admin="zieglerj" time="2010/01/20 15:38:15">no</file-type-ident>
<spyware-ident admin="zieglerj" time="2010/01/20 15:38:15">no</spyware-ident>
<decoder admin="zieglerj" time="2010/01/20 15:38:15">http</decoder>
<default>
<port>
<member admin="zieglerj" time="2010/01/20 15:38:15">tcp/dynamic</member>
</port>
</default>
<signature>
<entry name="User_Agent_IE">
<comment admin="zieglerj" time="2010/01/20 15:38:15">Identifies the User-Agent of MSIE 7.0</comment>
<order-free admin="zieglerj" time="2010/01/20 15:38:15">yes</order-free>
<scope admin="zieglerj" time="2010/01/20 15:38:15">protocol-data-unit</scope>
<and-condition>
<entry name="AND 1">
<or-condition>
<entry name="OR 1">
<context admin="zieglerj" time="2010/01/20 15:38:15">http-req-headers</context>
<method admin="zieglerj" time="2010/01/20 15:38:15"/>
<pattern admin="zieglerj" time="2010/01/20 15:38:15">MSIE 7/.</pattern>
</entry>
</or-condition>
</entry>
</and-condition>
</entry>
</signature>
</entry>
</result>
</response>
01-20-2010 06:57 PM
Your App-ID looks good except for a few things. Your pattern is really close but should be "MSIE 7\.0". With no other changes, this should start identifying traffic from IE7 (or at least traffic that claims to be IE7).
Once you get the signature working, you will likely run into another issue. It looks like you did not check the "Continue scanning for other applications" checkbox. This is fine if your intent is to block IE7, but if you want to allow IE7, this will turn all browsing traffic into IE7 for those users. This means you will not see what other web-based applications they are running. If you are just interested in knowing who is running IE7, then you could check that box and then the system would continue scanning for other applications. With this approach, only the traffic that is generic web-browsing would get classified as IE7 since no other more specific app would be found. YouTube would continue to show up as YouTube and Facebook would continue to show up as Facebook. However, if you did an ACC filter on IE7, you will be nearly guaranteed to have a least one session from each IE7 user that was generic web-browsing (now showing up as IE7), allowing you to know who is running it without losing visibility into more detail app info.
Let us know if this works.
Mike
01-21-2010 06:46 AM
Hy, Thanks for response.
I will open a case.
01-21-2010 07:55 AM
Thanks mike for this "short" answer.
I will try this out as soon as possible and let you know the result.
Cheers.
01-21-2010 08:08 AM
Hy mike,
could you discribe the policy rule which I should implement for blocking my traffic using IE ?
Actually (after I checked ue scanning for other applications) I activated following rule
trust to untrust, source any, source user (domain\myself eg), dest any, Application sh_browser_type, action deny, profile none, options Send Traffic Lof at session start.
Where is my mistake ?
Cheers
01-21-2010 09:33 AM
Do you see sh_browser_type showing up in ACC or any logs? Prior to turning on blocking, you might want to allow it and see if it is showing up correctly. Once that is working, turning on a deny rule should work.
Mike
01-22-2010 01:36 AM
Hy mike,
I see the request in ACC Monitor. The Rule works fine now. I can block even on user based selection dedicated browser types.
Big effort. Thanks for this marvelous support.
07-27-2010 07:52 AM
Moved this thread to DevCenter since it discusses creating custom App-IDs.
To filter by user-agent, you need to create a custom App-ID. The key signature in the App-ID will contain the following:
Context: http-req-headers
Pattern: MSIE 7\.0
Here's a screenshot of what the signature will look like in the UI:
To create a custom app, you go to the Objects tab and select Applications. Clicking the New button will start you down the path. There is a tutorial on creating custom apps here: How to Configure Custom HTTP-Based Apps.
Mike
02-20-2011 01:24 AM
Hi,
i want to identify all the users that use browsers that are different from MSIE,
tried different regexp conditions but it does not seems to work
i cannot use [^(MSIE)*] because of the 7 chars limit, and any other expression doesn't seems to work.
any ideas?
02-23-2011 04:21 PM
https://addons.mozilla.org/en-us/firefox/addon/user-agent-switcher/
You may not want to waste your time writing a custom App-ID based on User-Agent when your users can just circumvent your rules.
02-23-2011 10:55 PM
Thank you, i use this addon myself, but i still need the custom app
I have another application (Spectator) that identifies computers with firefox installed and removes it/ kills the process,
the bottom line is that I want to close it from all the directions, both in PA and in Spectator.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!