How to filter browsertype based requests

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to filter browsertype based requests

L1 Bithead

Hello (we need support 🙂 ),

we want to filter on our PA 500 all http traffic outbound on User-Agent type.

As explanation: We want to know (and later block) all users which are using MSIE 7.0 (for example) for outgoing browsing.

Following ideas from our side but actually no success on the implementation.

1) Using DataFiltering on a global outbound web-browsing policy

Using a Data Pattern with .*(compatible; MSIE)

This obviously does not work.

2) Using a self created Application

with same pattern

This obviously does not work.

<response status="success" code="19">
      <result total-count="1" count="1">
        <entry name="sh_browser_type">
          <category admin="zieglerj" time="2010/01/20 15:38:15">media</category>
          <subcategory admin="zieglerj" time="2010/01/20 15:38:15">photo-video</subcategory>
          <technology admin="zieglerj" time="2010/01/20 15:38:15">browser-based</technology>
          <risk admin="zieglerj" time="2010/01/20 15:38:15">5</risk>
          <consume-big-bandwidth admin="zieglerj" time="2010/01/20 15:38:15">no</consume-big-bandwidth>
          <able-to-transfer-file admin="zieglerj" time="2010/01/20 15:38:15">no</able-to-transfer-file>
          <used-by-malware admin="zieglerj" time="2010/01/20 15:38:15">no</used-by-malware>
          <evasive-behavior admin="zieglerj" time="2010/01/20 15:38:15">no</evasive-behavior>
          <has-known-vulnerability admin="zieglerj" time="2010/01/20 15:38:15">no</has-known-vulnerability>
          <pervasive-use admin="zieglerj" time="2010/01/20 15:38:15">no</pervasive-use>
          <prone-to-misuse admin="zieglerj" time="2010/01/20 15:38:15">no</prone-to-misuse>
          <tunnel-applications admin="zieglerj" time="2010/01/20 15:38:15">no</tunnel-applications>
          <tunnel-other-application admin="zieglerj" time="2010/01/20 15:38:15">no</tunnel-other-application>
          <data-ident admin="zieglerj" time="2010/01/20 15:38:15">no</data-ident>
          <virus-ident admin="zieglerj" time="2010/01/20 15:38:15">no</virus-ident>
          <file-type-ident admin="zieglerj" time="2010/01/20 15:38:15">no</file-type-ident>
          <spyware-ident admin="zieglerj" time="2010/01/20 15:38:15">no</spyware-ident>
          <decoder admin="zieglerj" time="2010/01/20 15:38:15">http</decoder>
          <default>
            <port>
              <member admin="zieglerj" time="2010/01/20 15:38:15">tcp/dynamic</member>
            </port>
          </default>
          <signature>
            <entry name="User_Agent_IE">
              <comment admin="zieglerj" time="2010/01/20 15:38:15">Identifies the User-Agent of MSIE 7.0</comment>
              <order-free admin="zieglerj" time="2010/01/20 15:38:15">yes</order-free>
              <scope admin="zieglerj" time="2010/01/20 15:38:15">protocol-data-unit</scope>
              <and-condition>
                <entry name="AND 1">
                  <or-condition>
                    <entry name="OR 1">
                      <context admin="zieglerj" time="2010/01/20 15:38:15">http-req-headers</context>
                      <method admin="zieglerj" time="2010/01/20 15:38:15"/>
                      <pattern admin="zieglerj" time="2010/01/20 15:38:15">MSIE 7/.</pattern>
                    </entry>
                  </or-condition>
                </entry>
              </and-condition>
            </entry>
          </signature>
        </entry>
      </result>
    </response>

12 REPLIES 12

L5 Sessionator

Hi Smartboy,

The second option is probably your best bet with the custom app.  Support has requested that you open a case with them so that they can work with you to create it.

L4 Transporter

Your App-ID looks good except for a few things. Your pattern is really close but should be "MSIE 7\.0". With no other changes, this should start identifying traffic from IE7 (or at least traffic that claims to be IE7).

Once you get the signature working, you will likely run into another issue. It looks like you did not check the "Continue scanning for other applications" checkbox. This is fine if your intent is to block IE7, but if you want to allow IE7, this will turn all browsing traffic into IE7 for those users. This means you will not see what other web-based applications they are running. If you are just interested in knowing who is running IE7, then you could check that box and then the system would continue scanning for other applications. With this approach, only the traffic that is generic web-browsing would get classified as IE7 since no other more specific app would be found. YouTube would continue to show up as YouTube and Facebook would continue to show up as Facebook. However, if you did an ACC filter on IE7, you will be nearly guaranteed to have a least one session from each IE7 user that was generic web-browsing (now showing up as IE7), allowing you to know who is running it without losing visibility into more detail app info.

Let us know if this works.

Mike

Hy, Thanks for response.

I will open a case.

Thanks mike for this "short" answer.

I will try this out as soon as possible and let you know the result.

Cheers.

Hy mike,

could you discribe the policy rule which I should implement for blocking my traffic using IE ?

Actually (after I checked ue scanning for other applications) I activated following rule

trust to untrust, source any, source user (domain\myself eg), dest any, Application sh_browser_type, action deny, profile none, options Send Traffic Lof at session start.

Where is my mistake ?

Cheers

Do you see sh_browser_type showing up in ACC or any logs? Prior to turning on blocking, you might want to allow it and see if it is showing up correctly. Once that is working, turning on a deny rule should work.

Mike

Hy mike,

I see the request in ACC Monitor. The Rule works fine now. I can block even on user based selection dedicated browser types.

Big effort. Thanks for this marvelous support.

Not applicable

how can i add the pattern user-agent ? am new to PA and i need some help

Moved this thread to DevCenter since it discusses creating custom App-IDs.

To filter by user-agent, you need to create a custom App-ID. The key signature in the App-ID will contain the following:

Context: http-req-headers

Pattern: MSIE 7\.0

Here's a screenshot of what the signature will look like in the UI:

Screen shot 2010-07-27 at 7.31.39 AM.png

To create a custom app, you go to the Objects tab and select Applications. Clicking the New button will start you down the path. There is a tutorial on creating custom apps here: How to Configure Custom HTTP-Based Apps.

Mike

Hi,

i want to identify all the users that use browsers that are different from MSIE,

tried different regexp conditions but it does not seems to work

i cannot use [^(MSIE)*] because of the 7 chars limit, and any other expression doesn't seems to work.

any ideas?

https://addons.mozilla.org/en-us/firefox/addon/user-agent-switcher/

You may not want to waste your time writing a custom App-ID based on User-Agent when your users can just circumvent your rules.

Thank you, i use this addon myself, but i still need the custom app

I have another application (Spectator) that identifies computers with firefox installed and removes it/ kills the process,

the bottom line is that I want to close it from all the directions, both in PA and in Spectator.

  • 6684 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!