Testing Palo Alto Networks Solutions: How to Block Access to Social Networks and Applications

Hello, dear lovers of high technology. We continue our series of articles about advanced hardware.

Today I will talk about the decisions of the Palo-Alto Networks company and show you how to set up various policies, in particular, prohibiting the use of a social network or other kind of application to a specific user.


')

Palo Alto Networks produces fairly good firewalls, content filters, and so on. things in one device. As far as I understood from the words of the representative of the company, the main developers left Juniper networks, where they worked while creating a series of SSG devices.

Anyway. Most are not interested, and everyone is waiting for screenshots. Go:

1. Main page and dashboard . In principle, everything is clear (I hope).




2. ACC (or Application Command Center). Here we can see what type of traffic was noticed at one time or another, who was the generator or initiator of traffic, etc.




The next screen clearly shows how some of our guests are struggling to download the latest version of the image with a free operating system.




3. Go further - the Monitoring tab. I think it makes no sense to explain its meaning. I note only that it is very convenient to use when debugging, since Among the total orgy of IP packets, we can filter only what we need.




4. Policies. Here we define the relationship policies between security zones (which are described later), pools and NAT rules and other things that are undoubtedly important in our lives: QoS, Captive portal, DoS protection, etc.




5. Objects. This tab presents various entities that we can group by various attributes, set new ones, etc. In the future, we can use these newly created parameters in various access policies.



In addition, application signatures are defined here (and since Palo Alto is able to recognize them, we can separately filter the traffic of an application. This is more detailed at the end of the article).

6. Network. The purpose of this tab is to configure everything related to the network in our device. Starting from issuing addresses to interfaces and ending with setting up IPSec tunnels (Yes! Palo Alto supports IPSec tunnels).




7. Device. It stores various global device settings. Everything that can be customized is on the left side of the screen.




Let's try to write a policy prohibiting the use of a social network for schoolchildren to one computer (since the user of this computer behaved poorly):

one.




2



3



four.




five.




The user is trying to get on Vkontakte and here - bam! Does not work. And we triumphantly observe his useless attempts:



On the other hand, this filtering does not surprise anyone now. I kind of understand you, so let's complicate the task a bit. Let's try to filter the application that is used to access another social network, but at the same time leave access there through the WEB.

So, imagine that we are building another floor of our 18-storey office. Everywhere in the building there is a wifi access point with an open SSID (yes, we are not greedy for the Internet). Workers are finishing the repair on the 18th floor. One of them (let's call him Ashot) instead of finishing laying 30 square meters of tiles, connected to the network and, using a messenger, leads an active correspondence with another “lady of the heart”. At the same time, suppose that for some reason we need to prohibit everyone from using the messenger, while leaving work available through the browser.

Set up a policy:



Then we will indicate the security zone, from where the connection will be initiated (at the same time, we will forbid everyone from any address to use this client).




We indicate in which zone the traffic will go (in order not to bathe - we will indicate in any zone):



Now we need to ban this same messenger. We are looking for it in the database of signatures and expose:



The final rule is to block all traffic from the application:



We apply and save the configuration. We look that we have:



Actually, we managed to block the application. Now we are looking to see if there is access to the site from a web browser:




In principle, everything that was conceived was realized. Questions?