Block HTTPS Facebook traffic with PacketShaper
search cancel

Block HTTPS Facebook traffic with PacketShaper

book

Article ID: 165402

calendar_today

Updated On:

Products

PacketShaper

Issue/Introduction

How to use PacketShaper to block HTTPS Facebook traffic

Resolution

To block all access to Facebook, you would need to manually create a dedicated Facebook class with the following SSL Common Name matching rule criteria: *.facebook.com , *.channel.facebook.com,  a248.e.akamai.net. Then apply a Discard policy on this traffic class.

 
To create this, issue the following CLI commands:
 
#class new /Inbound/facebook inside host:any TCP service:Client outside host:any service:SSL "SSL:commonName:*.facebook.com"
#class rule add /Inbound/facebook inside host:any TCP service:Client outside host:any service:SSL "SSL:commonName:*.channel.facebook.com"
#class rule add /Inbound/facebook inside host:any TCP service:Client outside host:any service:SSL "SSL:commonName:a248.e.akamai.net"
#class rule add /Inbound/facebook inside host:any TCP service:SSL "SSL:commonName:*.facebook.com" outside host:any service:Client
#class rule add /Inbound/facebook inside host:any TCP service:SSL "SSL:commonName:*.channel.facebook.com" outside host:any service:Client
#class rule add /Inbound/facebook inside host:any TCP service:SSL "SSL:commonName:a248.e.akamai.net" outside host:any service:Client

#class new /Outbound/ facebook inside host:any TCP service:Client outside host:any service:SSL "SSL:commonName:*.facebook.com"
#class rule add /Outbound/facebook inside host:any TCP service:Client outside host:any service:SSL "SSL:commonName:*.channel.facebook.com"
#class rule add /Outbound/facebook inside host:any TCP service:Client outside host:any service:SSL "SSL:commonName:a248.e.akamai.net"
#class rule add /Outbound/facebook inside host:any TCP service:SSL "SSL:commonName:*.facebook.com" outside host:any service:Client
#class rule add /Outbound/facebook inside host:any TCP service:SSL "SSL:commonName:*.channel.facebook.com" outside host:any service:Client
#class rule add /Outbound/facebook inside host:any TCP service:SSL "SSL:commonName:a248.e.akamai.net" outside host:any service:Client

#policy apply discard /Inbound/facebook
#policy apply discard /Outbound/facebook


#class set /inbound/facebook exception
#class set /Outbound/facebook exception

#class web-app disable facebook
 
Note: If we don't disable the web app classification for Facebook with the command class web-app disable facebook, the Facebook traffic might hit the native Facebook class, causing the manualy created class to not be able to classify and block Facebook traffic.
 
Powered by Wolken Software