Block Web-Based-Emails From Internet Portals
21809
Created On 06/25/20 02:51 AM - Last Modified 07/03/20 02:28 AM
Symptom
- Firewall configured with a rule to filter 'web-based emails' URL category only works when accessing web-based-email directly:
- However, a user logged in to 'yahoo.com' can access mail directly from the home page.
Launching 'Mail' from home page opens without being blocked:
Environment
- Any PAN-OS.
- Palo Alto Firewall.
- SSL forward proxy configured
- URL filtering web-based-email URL category on the firewall.
Cause
The traffic starts off as 'ssl' application and matches a security policy that allows SSL traffic. In this example, the matching policy is 'Egress_Thegreatwall' as highlighted below. However, an application shift occurs as soon as the user attempts to access 'mail' from the home page. The application shifts from 'ssl' to 'yahoo-mail-base.' This triggers a new security policy lookup against the application 'yahoo-mail-base' which matches the rule 'Match_Webmail.'
Monitor --> Traffic:
Detailed traffic view:
As highlighted above the rule is blocking the URL/application because it is configured with a URL filtering profile. Despite this, yahoo mail still loads. The reason this is happening is that launching yahoo mail from the home page causes the page to launch content from multiple sources/URLs which are being allowed by a rule on the firewall which may not be immediately obvious.
Resolution
- Turn on developer console in the browser to see all content the browser is attempting to load while yahoo mail is being accessed.
- Create a security rule that blocks these contents; use a wildcard if needed: '*.yimg' and '*.mail.yahoo.com.' In this illustration the rule is placed below 'Match_Webmail.' The custom object 'Yahoo_URLs' in this rule contains the wildcards and the rule is set to deny. To simplify security policies, 'internet-portals' category is added to 'Match_Webmail' security policy.
- Create a decryption policy -- for the 'internet-portals' URL category and the custom URL object containing the wildcard FQDNs.
Additional Information
- This article assumes the reader is familiar with application shifts, URL filtering and SSL decryption. Without SSL decryption results may vary: for example, a user on Chrome may be blocked but not users on Safari or Firefox. Hence decryption is highly recommended.
- The same principle applies for other web-based-email services; a packet capture or information taken from the developer console could assist in determining what APIs, URLs or FQDNs may need to be blocked.
- In certain cases, the browser uses cache/cookies to load the mail client; clearing browser cookies is a temporary workaround; long-term fix is to decrypt and block the outlined traffic.