Palo Alto Networks Knowledgebase: Failed to Block Facebook Chat Consistently

Failed to Block Facebook Chat Consistently

Created On 09/25/18 17:41 PM - Last Updated 02/08/19 00:08 AM


Security Rule has been configured to block Facebook-Chat Application, in the traffic log firewall seems to successfully blocked the Facebook-Chat; however, the user can continue to use Facebook-chat over the web.


When we use Facebook-Chat in a web page, the web client will open multiple sessions towards the server. Since Facebook integrated chat and messages into one service, half of the sessions will have a chat structure and the other half will have a mail structure. So in order to successfully and consistently block Facebook chat, you  need to block both facebook-chat and also facebook-mail applications.


Step 1. Enable decryption.

For more information about Decryption, please refer to "How to Implement and Test SSL Decryption".


Step 2. Configure your security rule to block "facebook-chat" and "facebook-mail" applications.


Step 3. Create another security rule that allows "facebook-base" application. Add this security rule below the rule created in Step 2 above.


With the above configuration, the user still can browse to Facebook, but will not be able to use Facebook-Chat.

  • Print
  • Copy Link

Choose Language