Need to Block a User Agent By String

book

Article ID: 172743

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

This article describes how to block using a string in the User Agent header. This is useful when you want to block a User Agent that is not predefined in the Visual Policy Manager as a User Agent source object. 

Environment

HTTPS traffic will need to be decrypted in order for the Proxy to view the User-Agent header and apply policy to it. This may require setting up an SSL Intercept Layer to decrypt the traffic, or using a decrypting appliance, such as an SSLV.

Resolution

Select a string from the User Agent header of the application you are trying to block, and verify that it does not appear in the User Agent header of other web browsers in the production environment. You can view the User Agent Header in a packet capture or a policy trace. For example: below is what the header looks like for the Chrome browser in a policy trace:

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

The string 'Safari' could be used to block Chrome, but not Internet Explorer or Firefox, as policy traces from those two browsers would indicate 'Safari' does not appear in the User Agent header.

Once you have your string selected:

1. Go to Management Console > Configuration > Visual Policy Manager

2. From the Visual Policy Manager, create a new rule under a Web Access Layer and move it to the top of the layer

3. Right Click on Source and select Set

4. On the window that pops up, click New, and select Request Header from the drop-down menu

5. A second window will pop up. In that window, name your object, and under Header Name, select User-Agent

6. Under Regex, put the string you want to search the User-Agent header for and click OK

7. Find the source object you just created under Existing Source Objects in the first popup and select OK. You should now see the object you created as the Source for the rule

8. If the action is not already Deny, right click under Action and select Deny

9. Install the policy