Tls host not work

poolip · December 3, 2018, 4:36pm

Hello
i have problem with filtering 443 web site by tls host
/ip firewall filter add chain=forward dst-port=443 protocol=tcp tls-host=*.google.com action=reject

this is my rule.but i not block google.com
any one have same problem?

karlisi · December 4, 2018, 8:28am

It works, at least on 6.42.10
You should remove port, leaving only tls-host. And this rule must be before ‘accept established, related’ rule.

vecernik87 · December 4, 2018, 10:13am

Google, youtube etc… they are using QUIC (UDP based protocol) instead of normal HTTP/2 (TCP based protocol)
They of course still support old protocols but thats just fallback. If the browser supports QUIC, it will use QUIC.

TLS-host does not work with QUIC as it depends on TCP connection.

sebastia · December 8, 2018, 12:06am

So the question is then: how do we identify and block QUIC so that fall-back scenario will engage (=> tls over tcp, which we CAN filter)?

Edit: as easy as blocking 80 & 443 over udp? https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC

Edit2: so firewalled udp:80&443, monitored connections and no udp from desktop, but still no hits on TLS for youtube. Got the impression, that once the “youtube app (html5)” is loaded, it goes to cdn’s which got nothing to do with youtube TLS-Host… Blocking vimeo.com works just fine…

Xtreme512 · August 31, 2019, 10:27pm

Does this new TLS-host firewall feature work with plain HTTP? I want to block *.footprint.net domain (DNS block didn’t work out) as it keeps bothering me with blocking windows updates.

sebastia · September 1, 2019, 9:35am

I would expect not as it related to Transport Layer Security which is not used with plain http.

Xtreme512 · September 2, 2019, 12:22am

you’re right but had to ask anyway. so L7 is go to method for http?

sebastia · September 2, 2019, 8:49am

that or the “content” packet matching in plain firewall

Xtreme512 · September 3, 2019, 6:44pm

thanks for the response. does content matching support regex? like can you use content=windowsupdate and even windowsupdate|telemetry|…
other question is, Ive been using L7 to capture social media traffic (in just one L7 rule that holds youtube|facebook|instagram etc.) to shape it, its working great no matter http(s). should I migrate to tls-host, is it any efficient?

sebastia · September 4, 2019, 9:46am

I didn’t try regex in content, but it does match on plain text.

For https, your current L7 will be working with TCP and SSL handshake which is still unencrypted data