Palo Alto Firewall URL過濾 以及 Application Block Page

目錄

本篇文章將介紹Palo Alto防火牆針對封鎖URL以及第七層應用程式的限制功能,以下是主要的兩種功能:

  1. Application Block Page
  2. URL Filtering and Category Match Block Page

到Device→Response Pages找到Application Block Page,要確保是啟用的狀態

點選Application Block Page匯出預設的block頁面程式

匯出之後是一個txt的html檔案,可以編輯這個Block Page的html

<!DOCTYPE html>

<html lang="en">
<head>
    <base href="/login/">
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=.85">
    <meta http-equiv="pragma" content="no-cache">
    <title>Application Blocked</title>
    <link rel="stylesheet" href="css/latofonts.css">
    <style>
        body {
            background-color: #e8ebeb;
            font-family: Lato, 'Helvetica Neue', Helvetica, Arial, sans-serif;
            font-size: 16px;
            margin: 0;
            color: #070808;
        }

        a:link {
            color: #0993d1;
        }

        b,
        strong {
            font-weight: 500;
        }

        p {
            line-height: 1.2em;
        }

        button {
            overflow: visible;
        }

        button, input, optgroup, select, textarea {
            color: inherit;
            font: inherit;
            margin: 0;
        }

        .center {
            text-align: center;
            margin-left: auto;
            margin-right: auto;
        }

        #dError,
        .msg {
            color: #d94949;
            margin: 20px 0;
        }

        fieldset .msg {
            margin: 0;
        }

        #content {
            padding-top: 100px;
        }

        #content img {
            display: block;
            margin: auto;
        }

        #content h1 {
            font-style: normal;
            font-weight: normal;
            font-size: 36px;
            line-height: 43px;
            text-align: center;
            letter-spacing: 0.1px;
            color: #070808;
            margin: 10px auto 8px;
        }

        #content > p {
            text-align: center;
            margin-left: auto;
            margin-right: auto;
            width: 640px;
            font-size: 14px;
            line-height: 20px;
        }

        .response {
            background-color: #fff;
            color: #5a636b;
            margin: 24px auto 0;
            padding: 20px;
            font-size: 16px;
            width: 800px;
            border: 1px solid #c8cbce;
            box-sizing: border-box;
            border-radius: 8px;
        }

        .response p {
            margin: 0 0 1em;
        }

        .response p:last-child {
            margin: 0;
        }

        .response b {
            color: #070808;
        }

        .response .msg b {
            color: #d94949;
        }

        .response form td,
        .response form input {
            font-size: 1.1em;
            font-weight: bold;
        }

        .loading {
            margin: 2em auto 1em;
        }
    </style>
</head>

<body>
<div id="content" class="container">
    <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAFQAAABgCAYAAACDgFV6AAAACXBIWXMAAAsTAAALEwEAmpwYAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAntSURBVHgB7Z1tTFvXGcef6xewAYMxmIQkgIFAAozEQBfRNpucKpMCW7d0UvahUzT2pV8TVLXZtGlxtlb7soikH/ohnZRMUaVuWbR2qkq0dcN0aUOrZWFElBcDpqOBYAI2YLDB4LvzXGrKi1/OheO3a/8kx9fnHGPfv895nuc8594TDgJgNpu1vnTNOY6HFgDeAAkCz3HmX//85UsQQxSBCvm0rL/U1VabTMefAW1ONsQ7nf/6BKwjNnAtuM2/+u1liKWo8q0Fv/zN707rcnN+1vLjH4FKlQ6JwBf/G4MZhxOqD1dCackBU0llDXT+42+dEANk2wpkYGr8Zh0kKjiqThxvxJ56EWLANkGB47WqdBUkMrEUdZOgNpvNkJGekQMSwC/qxdcvX4coIjilQZvtHOfjzd5VXltYWBC08aPxCbDbp6D2G9XC8aT9yab6emMtKBRrfg7t2tb6Y099bUoiUb8VFJXQAq9fhku/ePmnEAU467DtIs/zZn/Bvc/uw5GaKjAeqdnUcGVlBUbJSRiKi9ZFixf8Xv5gWSmYvvXMtnrL3U/A8lHXjWiIKuOBb6FpOEl6ZjyKSQP2VNO3G1uiMfxlwIOBpiGGJV7vCiQq0RJVJqaxUhmfvdPt8VC1i4ao1ArVErsqBTY6Ks4razWbW53AEFE9VCr4eyqvXO0wm9u0wJCkFBRZE/VpI2tRqQXFuA9DJykRCVGpBZ2bd8W1l1fI5eCcnQOxsBaVmduen58HVmg0GlHtFST6yM/Pg+6eXmg8Vg97CwpEvf8rR2W0fHQPRT2xG0fFRNBP//2APP4DrPjeqZNQZiihbm8oKoIhMlOqPlQB12/+EUoNxURUPYhFq80xOp2zuxKVWlClQh40Ds3P14Ge9JClpWVggT4vT1R7Q0kRPJqYEI5R1DmXSxBYLFmZanC5XEaOX8UEUWQFPXyoMmhdOelN5SJ6FGtwOnysoV4QccbhgPT0tO1tSGdQysOf7tT0DPi8q7BTEm9iHgS1WsVk8vHgYS8suHc+0pI2DsX0Iz5YQ91D+wcGoaS4WOgJgXgyPS3KhmYTT67RZIHUoBbUuxLcruzEy6MXR28uNZjY0LLSYtHD58C+vSBFmAiKYc4Pv98MiQROHiIxlaYWVJerjdt86E7IjpD9plZo/75CSBGepA2bIgW1oFJL3dmnpmIbh/YNWIVl2mBx6Dym9+JQdPy+atX27xypVCQTL4O9t48E/vEITiAOk4RJtGAiqJCceKoeUkgoOSKWVBzKmFQcmiCk4lDGUAtKe7lLohDzOHRo2BYyDr3z939CPLJHr4c6Y23AukjEosy8zKnvPAeJhEKhJF7eBaxJ2VDGJK2gaLoisQRDHzYVFga1n4kIzu8DzfF3C3UP1emYXvUnWVI2lDHUQx7j0FBD5GFvH8QjOGUONMvDewZmZhxwsLwUWMIsDt1ToCdxnRfijWjftcLs0wr0+ZAiZUOZk4pDGUM95EPZz0Qk5nGolMSMJMycUiRSYSxQq9VC6BQtqAXF/KEuNzdgGIJrM/G6jKwh3ymQoDGPQ/HedE2WJqCgWBbNpdp4JhU2MSYlKGOSdl0el5EjMVWmFrSK2MhE3M0hGHgue3Zwc1g4qIe8lMSMJCkbyhhqQTFwl9I1om63JyI5XGpBE30Tl2iRGvKMSQnKGFGuO9TljLiFRjRNwv79hbtKv+G54Bzf/fAhuO7dA3dPDyxPTkLzwgJWj55pasLnbjz28fx75NlSdefOaLi/y2SbIXRWUbevPOyKRYsFlt5+G+yZmZBeVgaakydBuW8fyDb8SN7xcaN3YsLoGRk5vXj/Pgw2N99Y9fkuhRKWGxwa2fTVgu19JxW8pBeOv/Ya+UF4yCYiopg0rDocsEBEnfvwQ6eM465UfPBBwF10k8qGEjFg7JVXQF1VBfqXXqIWE5GT1CX+AIUXLmhlWq15sKmpLVC7pNlmCMV8cv065L34ImQdPw47BYXde+ECZDQ0nCeidmytp7ahuM1QAbGTwaagLDL2Ol1uRNZ5cJjb33wT9pw7JwgSCp/Hg7YzbO/NPXMGn0yDAG2V7e2t/nJm9ymxyNgLNxIwFnTObgf7q6+C9vnnw4qJQk6+8YZwnNnQ4BctKDnkby6NjJwfaGrqPNTe/i6WMbtPKR4z9gsLi/D4T7cgo7gYh2jY9u7PP990nBumPUYEKPrUtWttD0wmS53F4hS16plIt9XgaHncPwDQ1QU5J8XvHOFzu6naoWkgD4NKpTqPr6kFxXX5RErhoU1fHeiHjFJD2KG+W9D7k1DqB3gsybBpfZ++T7sgo7oaIg32UjL8jSPNzSWSFBQ3wxKwWiGtvByigaqmBpZ5/gVqQTF3iDnEeAe/o9A7v/wS0goLN00lIwl+FsEguR7qWktuoLLAqdUQLWTksziez5GcoEvLbDY0FAs6Po7j6Hsoprri9fqljbDaIVIsGGaRNN+sqLuRcUaE1ziNfjEmlNUbj6yHUhvL/dTWVK9ftReoHpem/Zuv4hLL0PBI0Pp5lwv6+gfD1uf6Q6Q8nZAhEsNGe6sQGWoJn8Vxo6ICSxSvQK8XHlsJVk5bjyMg1K4Qmqwsqnrr8Ff7huryYIXMy3FuTuuY1MRTY4oOxcl69lkQg8dmIxlBvltyi+0ymQx8Pt/aiwMHYHl4WAhpaEA7iAmUnbBC8gAEyzYbqkxTgmcpcW/l3jQ9rj0K8x9/DGLAHk0SHqLeg+1XHI5uzORvE7SI2Mr+wWFIVDam/7jGRliamMCTpXovZpvGzWZMdoDj1i2gBX804pCu4vE2QfF6Hxw279x+Dx6T1FeikUXWiNbBONT0HLU4W7NNVO/p7QVPb+8o6Z038HVAG/r0sQboITOjd27/FZzOWUg0Tn/3FGRmZgjH3IkTsPRZF7ju3g2bqVeTeT+2w2GfSZHuw54/+/77eLieYOaswyMOsl4l7TtjZ6aBu9IG+rNnhZXNUKCYqzMzYdshdpKM9jx6hKugZn+ZjOe5bpA6JITiz/4Ept56S7CTocAQi0Z0tLNEzD9sFBPh+qxWk5yTd0AyQBIm/O+vQXZdnZDD3An4g0zfvAleh+Pq4fb281vrOfxnwDpsJvPQmPw/mFGHDH/+9p9BMTYmiEqzNIKgvXQRb05srJN49Fa/E9oK5z/o67MZZHLezMnhqNRsKjlJw7ZCknzmLR2gINmpNJIgziDBv1yrBblOJwx7FBBnTNgj0eOTWBOFvOrxeK7g2lGIz5I+QmdR8h0BhSVmAIaswPf8V0j5AXFIsLhIcgF5a2HXwQrgKiu7V0dtL1S1to6G+6ykENRP3+BQC4mxLwYUNgA8XiiG1zJVHrwBlCSVoH7QEXOc7LQMZEeJbEZS5DdxTqIIXm3XyfO+d6sqKiwgkv8DR1QQUUMZmhsAAAAASUVORK5CYII=" alt="Error">
    <h1>Against Acceptable Use Policy</h1>
    <div class="response">
        <p>The application you are trying to use has been blocked in accordance with company policy. Please contact your system administrator if you believe this is an error.</p>
	<img src="https://i.kym-cdn.com/entries/icons/original/000/002/144/You_Shall_Not_Pass!_0-1_screenshot.jpg" alt="blockImage" style="width:700px;height:600px;">
        <p><b>User:</b> <user/></p>
        <p><b>Application:</b> <appname/></p>
    </div>
</div>
</body>
</html>

最後我改成這樣

然後再放回PA的Block Page,點選Application Block Page→Import

之後這條就可以選擇你放進去的Block Page

然後URL Filtering and Category Match Block Page也做一樣的事情

Application Block Policy

到Policy→Security的頁面新增Block Policy,可以指定特定的,我是用any source到any destination,這邊我是用block application,針對facebook的所有功能

URL category就application-default就行

最後把facebook-base application給Deny掉

設定好之後就OK

URL Filtering Block Profile

到Objects→Security Profiles→URL Filtering,會有一個default的但不能編輯,所以我們clone default的那組,將其Export出來

然後我們編輯clone出來的profile,我們先把全部的category block掉,按Site Access→Set All Actions→block,就可以全部block掉

好了之後按下OK,之後再回到Policy新增一條針對URL Block的Policy
Policy→Security→Add

Source跟Destination我都先給any,Application除了block的之外都要給他通過

URL Category就用application-default的

而Action的部分除了URL Filtering要block的之外都允許通過,而Profile把URL Filtering的Block Policy放進來

好了之後按OK,把Policy的順序調一下,先把Block URL往前調,先block掉url,再block掉特定的application

Interface management

Network→Interfaces Mgmt

要確定Interface有開Response Pages才能顯示Block Page

並且確認出去的網卡是該Interface Management的

都確認完之後就可以測試

Policy Test

需要License才能測到Log,Application License過期不能Block,URL Filtering License過期不能Block

Scientia

我是Scientia,研究興趣包含Cryptology, Cryptographic Engineering, Security and Privacy, Computational Complexity, Quantum Cryptography, Cybersecurity, Hardware Security以及Anomaly Detection.

Related Posts

Palo Alto Firewall 防火牆 Policy 政策 設定

對於防火牆很重要的功能之一就是透過policy去控管使用者或外部存取者的連線控制,若使用者有不當的連線行為,也能夠透過防火牆的log查看到紀錄,而存取控管限制使用者不能夠連線哪種類型的網站,或者封鎖特定服務都可以透過policy來做控制。

Palo Alto 防火牆 NAT (Network Address Translation) 設定

在網路上我們不可能直接將內網的服務IP揭露出去,而防火牆就會提供網路位址轉譯成能夠對外的IP,一來是內網服務IP數量有限所以需要轉譯出去,二來是不想讓攻擊者知道內網服務的IP位址,故需要透過Network Address Translation(NAT)來轉址。

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

You Missed

群之可解性

群之可解性

威脅情報指標 Indicators of compromise (IoC)

威脅情報指標 Indicators of compromise (IoC)

Palo Alto Firewall URL過濾 以及 Application Block Page

Palo Alto Firewall URL過濾 以及 Application Block Page

群

NP-Completeness

NP-Completeness

異常檢測的問題分類

異常檢測的問題分類