Community discussions

 
poolip
newbie
Topic Author
Posts: 41
Joined: Fri Jan 30, 2015 8:25 pm

Tls host not work

Mon Dec 03, 2018 6:36 pm

Hello
i have problem with filtering 443 web site by tls host
/ip firewall filter add chain=forward dst-port=443 protocol=tcp tls-host=*.google.com action=reject

this is my rule.but i not block google.com
any one have same problem?
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 255
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Tls host not work

Tue Dec 04, 2018 10:28 am

It works, at least on 6.42.10
You should remove port, leaving only tls-host. And this rule must be before 'accept established, related' rule.
---
Karlis
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 648
Joined: Fri Nov 10, 2017 8:19 am

Re: Tls host not work

Tue Dec 04, 2018 12:13 pm

Google, youtube etc... they are using QUIC (UDP based protocol) instead of normal HTTP/2 (TCP based protocol)
They of course still support old protocols but thats just fallback. If the browser supports QUIC, it will use QUIC.

TLS-host does not work with QUIC as it depends on TCP connection.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1795
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Tls host not work

Sat Dec 08, 2018 2:06 am

So the question is then: how do we identify and block QUIC so that fall-back scenario will engage (=> tls over tcp, which we CAN filter)?

Edit: as easy as blocking 80 & 443 over udp? https://knowledgebase.paloaltonetworks. ... 000ClarCAC

Edit2: so firewalled udp:80&443, monitored connections and no udp from desktop, but still no hits on TLS for youtube. Got the impression, that once the "youtube app (html5)" is loaded, it goes to cdn's which got nothing to do with youtube TLS-Host... Blocking vimeo.com works just fine...
 
User avatar
Xtreme512
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Sun Jun 08, 2014 2:43 pm
Location: Nicosia, CY
Contact:

Re: Tls host not work

Sun Sep 01, 2019 1:27 am

Google, youtube etc... they are using QUIC (UDP based protocol) instead of normal HTTP/2 (TCP based protocol)
They of course still support old protocols but thats just fallback. If the browser supports QUIC, it will use QUIC.

TLS-host does not work with QUIC as it depends on TCP connection.
Does this new TLS-host firewall feature work with plain HTTP? I want to block *.footprint.net domain (DNS block didn't work out) as it keeps bothering me with blocking windows updates.
I Walk Alone
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1795
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Tls host not work

Sun Sep 01, 2019 12:35 pm

I would expect not as it related to Transport Layer Security which is not used with plain http.
 
User avatar
Xtreme512
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Sun Jun 08, 2014 2:43 pm
Location: Nicosia, CY
Contact:

Re: Tls host not work

Mon Sep 02, 2019 3:22 am

you're right but had to ask anyway. so L7 is go to method for http?
I Walk Alone
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1795
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Tls host not work

Mon Sep 02, 2019 11:49 am

that or the "content" packet matching in plain firewall
 
User avatar
Xtreme512
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Sun Jun 08, 2014 2:43 pm
Location: Nicosia, CY
Contact:

Re: Tls host not work

Tue Sep 03, 2019 9:44 pm

that or the "content" packet matching in plain firewall
thanks for the response. does content matching support regex? like can you use content=*windowsupdate* and even windowsupdate|telemetry|.....
other question is, Ive been using L7 to capture social media traffic (in just one L7 rule that holds youtube|facebook|instagram etc.) to shape it, its working great no matter http(s). should I migrate to tls-host, is it any efficient?
I Walk Alone
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1795
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Tls host not work

Wed Sep 04, 2019 12:46 pm

I didn't try regex in content, but it does match on plain text.

For https, your current L7 will be working with TCP and SSL handshake which is still unencrypted data

Who is online

Users browsing this forum: No registered users and 53 guests