PDA

View Full Version : Problem blocking Skype access over http



Satish .J
2012-12-29, 06:00
Hi,

Is anyone observed now Skype in logging in http also.
I tried blocking Skype, but if i block one ip address it's passing from other ip addresses.
Still i have issue in blocking Skype access :-(

mcnallym
2012-12-31, 10:20
Easy solution is

Upgrade to R75.x
Purchase AppControl Blade and subscription

Block Skype Application with AppControl Blade

The AppControl should identify the Skype Application traffic despite being on http and still block.

Satish .J
2013-01-02, 00:20
I have Application Control Blade and i blocked Skype access using Application Control Blade only but still traffic goes with http traffic

mcnallym
2013-01-02, 03:54
Check the Rule Number in the Log Entry and confirm what rule number is passing this on.

Where I have seen this before is where there is a rule above the block that is permitting the traffic and so need to make sure that the block rule is moved above the rule that the traffic is passing on.

The Application Control Policy, the same as the Security Policy works on a top down basis.

Satish .J
2013-01-02, 04:44
yes there is rule

1 ) To allow only http traffic to everyone - Skype is passing by this rule. This is to allow any http traffic and i am blocking http traffic

Rule 1 :

source : Any
Destination : Any
Service : http
Action : Accept

Using AppControl Blade i have blocked

Source : Skype
Destination : Any
Application : Skype
Action : Block

When i have checked the logs Skype is passing through Rule 1.

mcnallym
2013-01-02, 09:59
You would need Rule 1 to allow the http traffic out to the Internet so that is correct in the Firewall Section.

In terms of the Tracker does it show any information about which Application Control Rule it is using for the traffic.

In tracker if you select the Application and URL Filtering then All

what does it show you.

Also is your Source definitely what you have as Skype in the rule. That will only match if the source matches what is in Skype in your Source Column.
Make sure you name the rule in Application Control and then in the tracker it gives you that name in the Application and URL Filtering logs.

At the moment sound like either not applying App Control Policy or your source isn't in what you have defined as Skype and so isn't matching the rule.

Satish .J
2013-01-03, 09:43
In tracker i can see the skype is passing by checking http rule.

Sorry Source i have mentioned wrong in source Any like mentioned below

Using AppControl Blade i have blocked

Source : Any
Destination : Any
Application : Skype
Action : Block

mcnallym
2013-01-03, 10:28
So are you looking at the Application and URL Filtering section in Tracker or just under the normal All Records.

With Tracker move from the All Records and expand the Application and URL Filtering in the Network Security Blades section. Then Select All within this Section. You will then see the tracker entries for the Application and URL Filtering Blade

Can you see the skype traffic in there are at all and if so what rule is is showing as under.

If all you are seeing in Tracker is the http being passed by the Firewall Blade then either you are not looking under the Application and URL Filtering section as advised or the Application and URL Filtering is not active on the Gateway.

Satish .J
2013-01-15, 04:54
Till now i have checked at all records.
Now i have checked at Application Control Blade, still Skype is accessible with HTTP traffic

mcnallym
2013-01-15, 13:35
And which rule in the Application Control is the traffic being permitted in.

Name your rules in the Application Control Blade and the Tracker will tell you when you look at the log entry in detail which Rule within Application Control Blade that the traffic is being permitted on.

If Application Control Blade is permitting the traffic through then you HAVE to identify the rule in Application Control that the traffic is being permitted on.

When you double click on an App Control log entry thrn brings up more detail

Application Control Allow
Details Policy
Traffic More

In the policy section then the second part will say the rulename that this traffic is being permitted on. If it doesn't look like that then you aren't getting an Application Control log.

You need to then look at that rule and see why is permitting http through to skype. Is it before the rule that drops skype for instance? Make sure that the Database is up to date. The App Control works on a top down basis, and once gets a match it will stop checking further. We have support customers blocking skype with this product so I know that it works when configured correctly.

Satish .J
2013-01-24, 00:05
To explain you in detail

Rule 1:

Source : HR_GRP(members of hr group)
Destination: any
service : http, https
Action : accept

Rule 2:
Source : any
Destination: any
service : http
Action : accept

Application control blade rule 1:

Source : HR_GRP
Destination: any
Application/Sites : gmail, skype
Action : allow

Application control blade rule 2:

Source : any
Destination: any
Application/Sites : gmail, skype
Action : allow

I can see the skype traffic is passing through rule 2 at Firewall.

northlandboy
2013-01-24, 02:02
To explain you in detail

Rule 2:
Source : any
Destination: any
service : http
Action : accept

<snip>

Source : any
Destination: any
Application/Sites : gmail, skype
Action : allow

I can see the skype traffic is passing through rule 2 at Firewall.


Your action is listed as accept or allow for both the firewall rules and the app control rules. So why wouldn't it be allowed?

Satish .J
2013-01-24, 05:28
Sorry mentioned wrongly in my previous reply

I have created rule as
Application control blade rule 2:

Source : any
Destination: any
Application/Sites : gmail, skype
Action : drop

mcnallym
2013-01-24, 07:13
At the moment you are saying is being passed on Rule 2

Is that Firewall Rule 2 or App Control Rule 2.

Name your App Control Rules with unique names not just numbers and then the App Control entries in Tracker will give the name of the rule in App Control that is being used.

Then post a screenshot of the Tracker Entry, the detail not the list of the tracker entries.

This should then list that is App Control Blade, along with details about the user and the application and the NAME of the app control rule that is being used to permit this. That way can distinguish between Firewall Rules and App Control Rules.

Spawn
2013-01-25, 10:57
Satish,

Take a print screen of the dashboard policies for Firewall and Application Control, paste it to either mspaint or irfanview, and post the screenshot here.

I hope you have licenses for App control, you can show us the screenshot for smartmonitor as well:)

Your post seems very confusing believe me.

Spawn
2013-01-25, 11:55
See the following screengrabs for reference:

Firewall Policy

http://i46.tinypic.com/svmpf8.jpg

App Control Policy

http://i46.tinypic.com/scao9u.jpg


Desktop screenshot (username is changed for obvious reasons)

http://i46.tinypic.com/2z6h8af.jpg


Smartview Tracker log
http://i47.tinypic.com/201rap.jpg

Satish .J
2013-03-16, 03:42
Thanks. Yes this way it's blocking Skype.

But some times it's allowing with http traffic i will check again and post you the updates