How to Block Internet Explorer (all versions) from Internet Access

How to Block Internet Explorer (all versions) from Internet Access

43192
Created On 09/25/18 17:18 PM - Last Modified 06/14/23 06:06 AM


Symptom


In a scenario where a certain web-browser needs to be completely blocked for http or https, Palo Alto NGFW can provide granular control via custom signatures. In our example, it'd be the ubiquitous Internet Explorer. The requirement is to prevent only the http or https traffic, any other protocol using the browser (e.g. ftp) should be allowed. How to achieve this?

Resolution


NOTE: Decryption is a must for https traffic. We need to have full visibility on the traffic after the SSL-handshake.

 

  1. Navigate to the Objects tab. Under 'Applications', click on the 'Add' option to create a new application.
    Give a suitable name, category, sub-category and technology.Step1.JPG
  2. Under the 'Signatures' tab, click on 'Add' to add a new signature. This will open a pop-up box.Application1A.JPG
  3. After providing an appropriate name, click either on 'Add or Condition' or 'Add and Condition'. Since we are adding a single condition, either option is fine. However, If you are adding multiple conditions, please choose the operator suitably.Application1B.JPG
  4. Choosing the 'Or condition' or 'And condition' option would open another pop-up box. Here, you should choose the following:
    • Operator - Pattern Match
    • Context - http-req-headers
    • Pattern - Trident\/Application1C.JPG
  5. Lastly, add it to a particular Deny policy. As a slight difference, you can choose the action as 'Reset (with client, server or both)'. This will end the session faster and free up resources on the firewall quicker.SecPolicy.JPG

 

Verification:

 

If everything was configured correctly, we should see the proper action taken by the firewall. As a result, the traffic logs should look like this: Trafficlogs.JPG

 

On the client, the browser will immediately show 'This page cannot be displayed' or similar message.

 Blockedpage1A.JPG

 

However, as expected FTP access through the web-browser works just fine.

 Blockedpage1B.JPG

 

If we take the packet-captures, we'd observe the RST packet injected in the TCP stream:

 Wshark.JPG

 

Additional comments:

 

This signature is derived from the 'User-Agent' field in the GET packet. The same technique can be used to match for other web-browsers or different versions, if needed. For example, to match all the versions of firefox, the pattern would be Firefox\/ and so on.

 GET pkt.JPG

 

 

owner - ansharma
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEdCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language