How to Block Traffic Based on Application Filters with an Exception
Resolution
Overview
This document describes how to configure a Palo Alto Networks firewall to block traffic using on an application filter and still allow an application that is included in the filter. The example shown in this document blocks instant messaging (IM) and peer-to-peer (P2P) application-filter traffic, but still allow the Skype application.
The application filter is a dynamic item that is created by selecting filter options (Category, Subcategory, Technology) in the application browser. Any new applications coming to PAN-OS in a content update that match the same filters, the set will automatically be added to the Application Filter created. For example, when a 'peer-to-peer' is selected as a Technology Filter, that filter will automatically update if a new application gets added to that category in the latest content package.
Steps
- Go to Objects > Application Filter
- Click Add to configure an Application Filter that would include all instant messaging and P2P applications, by selecting the Category, Subcategory and Technology, as shown below:
- Category - collaboration
- Subcategory - instant-messaging + voip-video
- Technology - browser-based + client-server + network-protocol + peer-to-peer
- Configure two security rules to allow Skype first, and deny the rest of IM and P2P applications
- The first rule allows skype, skype-probe and unknown-udp (required for acceptable voice quality)
- The second rule denies P2P and the IM filter
To verify the configuration, see the example below showing the traffic logs indicating Skype being allowed, whereas Omegle (online chat website), and Jabber are getting blocked:
Note: In order to view all applications included in that application-filter, use the following command to check the relevant security policy where the application-filter is included:
> show running security-policy
trust-2-untrust {
from trust-L3;
source any;
source-region none;
to untrust-L3;
destination any;
destination-region none;
user any;
category any;
application/service [ irc-base/any/any/any vidsoft/any/any/any sip/any/any/any h.323/any/any/any msn-base/any/any/any ebuddy/any/any/any hovrs/any/any/any yahoo-im-base/any/any/any google-talk-base/any
/any/any jabber/any/any/any qq-base/any/any/any aim-base/any/any/any icq/any/any/any webaim/any/any/any meebo-base/any/any/any swapper/any/any/any koolim/any/any/any cooltalk/any/any/any netmeeting/any/any/any
google-buzz/any/any/any chatroulette/any/any/any teamspeak/any/any/any ventrilo/any/any/any ichat-av/any/any/any sccp/any/any/any skype/any/any/any skype-probe/any/any/any mabber/any/any/any zoho-im/any/any/a
ny lotus-sametime/any/any/any yahoo-webcam/any/any/any sightspeed/any/any/any msn-webmessenger/any/any/any yahoo-webmesseng/any/any/any pownce/any/any/any medium-im/any/any/any vsee/any/any/any h.245/any/any/a
ny ms-ocs/any/any/any ms-ocs-audio/any/any/any ms-ocs-video/any/any/any gmail-chat/any/any/any messengerfx/any/any/any iloveim/any/any/any meetro/any/any/any p10/any/any/any imhaha/any/an application/se
rvice(implicit) [ http/any/any/any ssl/any/any/any stun/any/any/any web-browsing/any/any/any rtmp/any/any/any ];
action allow;
terminal yes;
}
owner: kadak