Page 1 of 1

Tls host not work

Posted: Mon Dec 03, 2018 6:36 pm
by poolip
Hello
i have problem with filtering 443 web site by tls host
/ip firewall filter add chain=forward dst-port=443 protocol=tcp tls-host=*.google.com action=reject

this is my rule.but i not block google.com
any one have same problem?

Re: Tls host not work

Posted: Tue Dec 04, 2018 10:28 am
by karlisi
It works, at least on 6.42.10
You should remove port, leaving only tls-host. And this rule must be before 'accept established, related' rule.

Re: Tls host not work

Posted: Tue Dec 04, 2018 12:13 pm
by vecernik87
Google, youtube etc... they are using QUIC (UDP based protocol) instead of normal HTTP/2 (TCP based protocol)
They of course still support old protocols but thats just fallback. If the browser supports QUIC, it will use QUIC.

TLS-host does not work with QUIC as it depends on TCP connection.

Re: Tls host not work

Posted: Sat Dec 08, 2018 2:06 am
by sebastia
So the question is then: how do we identify and block QUIC so that fall-back scenario will engage (=> tls over tcp, which we CAN filter)?

Edit: as easy as blocking 80 & 443 over udp? https://knowledgebase.paloaltonetworks. ... 000ClarCAC

Edit2: so firewalled udp:80&443, monitored connections and no udp from desktop, but still no hits on TLS for youtube. Got the impression, that once the "youtube app (html5)" is loaded, it goes to cdn's which got nothing to do with youtube TLS-Host... Blocking vimeo.com works just fine...

Re: Tls host not work

Posted: Sun Sep 01, 2019 1:27 am
by Xtreme512
Google, youtube etc... they are using QUIC (UDP based protocol) instead of normal HTTP/2 (TCP based protocol)
They of course still support old protocols but thats just fallback. If the browser supports QUIC, it will use QUIC.

TLS-host does not work with QUIC as it depends on TCP connection.
Does this new TLS-host firewall feature work with plain HTTP? I want to block *.footprint.net domain (DNS block didn't work out) as it keeps bothering me with blocking windows updates.

Re: Tls host not work

Posted: Sun Sep 01, 2019 12:35 pm
by sebastia
I would expect not as it related to Transport Layer Security which is not used with plain http.

Re: Tls host not work

Posted: Mon Sep 02, 2019 3:22 am
by Xtreme512
you're right but had to ask anyway. so L7 is go to method for http?

Re: Tls host not work

Posted: Mon Sep 02, 2019 11:49 am
by sebastia
that or the "content" packet matching in plain firewall

Re: Tls host not work

Posted: Tue Sep 03, 2019 9:44 pm
by Xtreme512
that or the "content" packet matching in plain firewall
thanks for the response. does content matching support regex? like can you use content=*windowsupdate* and even windowsupdate|telemetry|.....
other question is, Ive been using L7 to capture social media traffic (in just one L7 rule that holds youtube|facebook|instagram etc.) to shape it, its working great no matter http(s). should I migrate to tls-host, is it any efficient?

Re: Tls host not work

Posted: Wed Sep 04, 2019 12:46 pm
by sebastia
I didn't try regex in content, but it does match on plain text.

For https, your current L7 will be working with TCP and SSL handshake which is still unencrypted data