How to Block Internet Explorer (all versions) from Internet Access
In a scenario where a certain web-browser needs to be completely blocked for http or https, Palo Alto NGFW can provide granular control via custom signatures. In our example, it'd be the ubiquitous Internet Explorer. The requirement is to prevent only the http or https traffic, any other protocol using the browser (e.g. ftp) should be allowed. How to achieve this?
NOTE: Decryption is a must for https traffic. We need to have full visibility on the traffic after the SSL-handshake.
- Navigate to the Objects tab. Under 'Applications', click on the 'Add' option to create a new application.
Give a suitable name, category, sub-category and technology.
- Under the 'Signatures' tab, click on 'Add' to add a new signature. This will open a pop-up box.
- After providing an appropriate name, click either on 'Add or Condition' or 'Add and Condition'. Since we are adding a single condition, either option is fine. However, If you are adding multiple conditions, please choose the operator suitably.
- Choosing the 'Or condition' or 'And condition' option would open another pop-up box. Here, you should choose the following:
- Operator - Pattern Match
- Context - http-req-headers
- Pattern - Trident\/
- Lastly, add it to a particular Deny policy. As a slight difference, you can choose the action as 'Reset (with client, server or both)'. This will end the session faster and free up resources on the firewall quicker.
If everything was configured correctly, we should see the proper action taken by the firewall. As a result, the traffic logs should look like this:
On the client, the browser will immediately show 'This page cannot be displayed' or similar message.
However, as expected FTP access through the web-browser works just fine.
If we take the packet-captures, we'd observe the RST packet injected in the TCP stream:
This signature is derived from the 'User-Agent' field in the GET packet. The same technique can be used to match for other web-browsers or different versions, if needed. For example, to match all the versions of firefox, the pattern would be Firefox\/ and so on.
owner - ansharma