How to Block Internet Explorer (all versions) from Internet Access

How to Block Internet Explorer (all versions) from Internet Access

11619
Created On 09/25/18 17:18 PM - Last Updated 02/08/19 00:08 AM
Symptom

In a scenario where a certain web-browser needs to be completely blocked for http or https, Palo Alto NGFW can provide granular control via custom signatures. In our example, it'd be the ubiquitous Internet Explorer. The requirement is to prevent only the http or https traffic, any other protocol using the browser (e.g. ftp) should be allowed. How to achieve this?



Resolution

NOTE: Decryption is a must for https traffic. We need to have full visibility on the traffic after the SSL-handshake.

 

  1. Navigate to the Objects tab. Under 'Applications', click on the 'Add' option to create a new application.
    Give a suitable name, category, sub-category and technology.Step1.JPG
  2. Under the 'Signatures' tab, click on 'Add' to add a new signature. This will open a pop-up box.Application1A.JPG
  3. After providing an appropriate name, click either on 'Add or Condition' or 'Add and Condition'. Since we are adding a single condition, either option is fine. However, If you are adding multiple conditions, please choose the operator suitably.Application1B.JPG
  4. Choosing the 'Or condition' or 'And condition' option would open another pop-up box. Here, you should choose the following:
    • Operator - Pattern Match
    • Context - http-req-headers
    • Pattern - Trident\/Application1C.JPG
  5. Lastly, add it to a particular Deny policy. As a slight difference, you can choose the action as 'Reset (with client, server or both)'. This will end the session faster and free up resources on the firewall quicker.SecPolicy.JPG

 

Verification:

 

If everything was configured correctly, we should see the proper action taken by the firewall. As a result, the traffic logs should look like this: Trafficlogs.JPG

 

On the client, the browser will immediately show 'This page cannot be displayed' or similar message.

 Blockedpage1A.JPG

 

However, as expected FTP access through the web-browser works just fine.

 Blockedpage1B.JPG

 

If we take the packet-captures, we'd observe the RST packet injected in the TCP stream:

 Wshark.JPG

 

Additional comments:

 

This signature is derived from the 'User-Agent' field in the GET packet. The same technique can be used to match for other web-browsers or different versions, if needed. For example, to match all the versions of firefox, the pattern would be Firefox\/ and so on.

 GET pkt.JPG

 

 

owner - ansharma



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEdCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language