Block Web-Based-Emails From Internet Portals

Block Web-Based-Emails From Internet Portals

21809
Created On 06/25/20 02:51 AM - Last Modified 07/03/20 02:28 AM


Symptom


  • Firewall configured with a rule to filter 'web-based emails' URL category only works when accessing web-based-email directly:
User-added image
  • However, a user logged in to 'yahoo.com' can access mail directly from the home page.
Yahoo home page with a logged in user:

Yahoo landing page

Launching 'Mail' from home page opens without being blocked:

User-added image

 

Environment


  • Any PAN-OS.
  • Palo Alto Firewall.
  • SSL forward proxy configured
  • URL filtering web-based-email URL category on the firewall.

Cause


The traffic starts off as 'ssl' application and matches a security policy that allows SSL traffic. In this example, the matching policy is 'Egress_Thegreatwall' as highlighted below. However, an application shift occurs as soon as the user attempts to access 'mail' from the home page. The application shifts from 'ssl' to 'yahoo-mail-base.' This triggers a new security policy lookup against the application 'yahoo-mail-base' which matches the rule 'Match_Webmail.'

Monitor --> Traffic:

User-added image

Detailed traffic view:

User-added image

As highlighted above the rule is blocking the URL/application because it is configured with a URL filtering profile. Despite this, yahoo mail still loads. The reason this is happening is that launching yahoo mail from the home page causes the page to launch content from multiple sources/URLs which are being allowed by a rule on the firewall which may not be immediately obvious.
 

Resolution


  1. Turn on developer console in the browser to see all content the browser is attempting to load while yahoo mail is being accessed.
User-added image
 
  1. Create a security rule that blocks these contents; use a wildcard if needed: '*.yimg' and '*.mail.yahoo.com.' In this illustration the rule is placed below 'Match_Webmail.' The custom object 'Yahoo_URLs' in this rule contains the wildcards and the rule is set to deny. To simplify security policies, 'internet-portals' category is added to 'Match_Webmail' security policy.
Policies --> Security:

Block Yahoo FQDNs
 
  1. Create a decryption policy -- for the 'internet-portals' URL category and the custom URL object containing the wildcard FQDNs.
This should now result in a block-page for yahoo mail accessed from the home page. The client attempts to load the highlighted URL and is blocked:

block page

Additional Information


  • This article assumes the reader is familiar with application shifts, URL filtering and SSL decryption. Without SSL decryption results may vary: for example, a user on Chrome may be blocked but not users on Safari or Firefox. Hence decryption is highly recommended.
  • The same principle applies for other web-based-email services; a packet capture or information taken from the developer console could assist in determining what APIs, URLs or FQDNs may need to be blocked.
  • In certain cases, the browser uses cache/cookies to load the mail client; clearing browser cookies is a temporary workaround; long-term fix is to decrypt and block the outlined traffic. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UYICA2&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language