Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19
  1. #11
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,968

    Default

    Quote Originally Posted by MindVentures View Post
    Seems like the app traffic signature is not being correctly detected by Untangle to be blocked.
    This is the nature of application blocking. Since many apps are built from groups of APIs layered on top of HTTP all hosted in the same big AWS pool of IPs, inspection tools often can't know what app is what until after the first several packet exchanges. So a quick check and many apps will seem to function, but then become blocked only after some use... sometimes hitting a specific API endpoint, for example.

    Quote Originally Posted by MindVentures View Post
    1, Is it necessary to use SSL Inspector while trying to use Application Control for blocking apps with encrypted traffic?
    It depends on the app. If the app is hosted in AWS or otherwise shares IP information with other services (YouTube is known for this, but so are many others), all traffic goes via HTTPS, and there's not a meaningful hostname included with the unencrypted portion of the header, then you will need SSL Inspector to detect that app.

    In the past this hasn't been a big deal, but more and more services are using these features over time. In more recent cases even SSL Inspector will no longer work, and mobile apps often tend towards something called "Certificate Pinning" that prevents Untangle from inserting itself into the conversation to decrypt the traffic for inspection. This still effectively blocks those apps, if that is your goal, but also tends to catch a LOT of other services in the blast radius, some of which you may want to keep available.

    Quote Originally Posted by MindVentures View Post
    2. Can Untangle look into it, since the application name IMO is already included in built-in stock list of apps which should be easy to block/unblock with a few clicks.
    Cheers.
    Look into what? Changing the fundamental way the internet is built? This isn't magic, and they're not that powerful.

    It's important to understand Untangle uses the same basic techniques as other products (just packages them together in an arguably nicer way). You're not gonna have materially different results using something else; this is what the gateway view of your traffic allows for.

    If you're having trouble with a particular service, the place to start is the Session Viewer tool in Untangle. Access the service, identify the traffic from that access in Sessions Viewer, and see how Untangle is actually classifying it. And remember, even basic services on the modern internet will use 20 (or more) different domains and requests to provide service. When you visit a web site, the url you see in the address bar at the top of the browser is only the tip of the iceberg.
    Last edited by jcoehoorn; 08-02-2022 at 07:19 AM.
    gravenscroft, dashpuppy and MP715 like this.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5.2 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

  2. #12
    That Which Lurks Below
    Join Date
    Jul 2018
    Posts
    143

    Default

    The vast majority of mobile apps don't restrict themselves to WiFi and NG Firewall can only act on traffic that passes through it. If the device detects that the connection is failing via WiFi, it'll usually just try again using its own data connection. There is, unfortunately, no way for us to disable or filter that connection; while the traffic may be blocked through NG Firewall, it may still go through because the device itself has another route to the internet.

    It's also possible that Application Control simply isn't detecting or identifying the app correctly. Check Reports > Application Control > Classified Sessions to verify that App Control is actually able to identify the traffic as matching that application.
    Last edited by gravenscroft; 08-02-2022 at 07:40 AM.
    dashpuppy, MP715 and jcoehoorn like this.
    Græme Ravenscroft • Technical Marketing Engineer
    ('gram', like the unit of measurement)
    he/him
    Please don't reboot your NGFW.
    How can we make Arista ETM products better?

  3. #13
    Untangler
    Join Date
    Oct 2014
    Posts
    35

    Default

    Quote Originally Posted by jcoehoorn View Post
    This is the nature of application blocking. Since many apps are built from groups of APIs layered on top of HTTP all hosted in the same big AWS pool of IPs, inspection tools often can't know what app is what until after the first several packet exchanges. So a quick check and many apps will seem to function, but then become blocked only after some use... sometimes hitting a specific API endpoint, for example.

    It depends on the app. If the app is hosted in AWS or otherwise shares IP information with other services (YouTube is known for this, but so are many others), all traffic goes via HTTPS, and there's not a meaningful hostname included with the unencrypted portion of the header, then you will need SSL Inspector to detect that app.

    In the past this hasn't been a big deal, but more and more services are using these features over time. In more recent cases even SSL Inspector will no longer work, and mobile apps often tend towards something called "Certificate Pinning" that prevents Untangle from inserting itself into the conversation to decrypt the traffic for inspection. This still effectively blocks those apps, if that is your goal, but also tends to catch a LOT of other services in the blast radius, some of which you may want to keep available.

    Look into what? Changing the fundamental way the internet is built? This isn't magic, and they're not that powerful.

    It's important to understand Untangle uses the same basic techniques as other products (just packages them together in an arguably nicer way). You're not gonna have materially different results using something else; this is what the gateway view of your traffic allows for.

    If you're having trouble with a particular service, the place to start is the Session Viewer tool in Untangle. Access the service, identify the traffic from that access in Sessions Viewer, and see how Untangle is actually classifying it. And remember, even basic services on the modern internet will use 20 (or more) different domains and requests to provide service. When you visit a web site, the url you see in the address bar at the top of the browser is only the tip of the iceberg.
    Got it , so i conclude that it is that it may not be 100% possible all the time for untangle to block such traffic accurately and exclusively (by not affecting other non targeted applications).

    Was just reaching out to Untangle - to share customer feedback - as the name for this particular IM app was delivered in Application Control in out of the box COTS product - where most of the features work as delivered. So as a customer my assumption was that it will work as intended with stock functionality. As the product vendor, i thought maybe Untangle can assess the latest version of the IM app and upgrade the application signature thru an upcoming version / patch.

    Will try taking a look in the session viewer to see if I can find anything useful and probably get some shared guidance from this forum as how to dig around further.

    Quote Originally Posted by gravenscroft View Post
    The vast majority of mobile apps don't restrict themselves to WiFi and NG Firewall can only act on traffic that passes through it. If the device detects that the connection is failing via WiFi, it'll usually just try again using its own data connection. There is, unfortunately, no way for us to disable or filter that connection; while the traffic may be blocked through NG Firewall, it may still go through because the device itself has another route to the internet.

    It's also possible that Application Control simply isn't detecting or identifying the app correctly. Check Reports > Application Control > Classified Sessions to verify that App Control is actually able to identify the traffic as matching that application.
    Well for running my test cases , I ensure that "Mobile Data (LTE/5G)" is turned off on the device. So going thru WiFi was the only available route to reach internet.

    Will try checking the classified sessions report to see if the traffic is zapped and identified
    Last edited by jcoffin; 08-04-2022 at 07:36 AM. Reason: Revert changes

  4. #14
    Untangler
    Join Date
    Oct 2014
    Posts
    35

    Default

    Quote Originally Posted by MindVentures View Post
    We get the application signatures/definitions from a third party, called Sandvine, but we don't develop or update the signatures ourselves. We typically update the App Control database with each new NG Firewall release.
    Hello,

    Thanks for the info. Apparently there seems to be some problem with the forums. My original post where I asked this question is deleted from thread.

    However the above-quoted response is appearing as it is posted from me, however I am sure it must be posted by someone else.

    Maybe forum admin can take a look.

    Thanks.

  5. #15
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,762

    Default

    Quote Originally Posted by MindVentures View Post
    Hello,
    However the above-quoted response is appearing as it is posted from me, however I am sure it must be posted by someone else.
    I reverted one of our staff's changes. Sorry for the confusion.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #16
    That Which Lurks Below
    Join Date
    Jul 2018
    Posts
    143

    Default

    Quote Originally Posted by jcoffin View Post
    I reverted one of our staff's changes. Sorry for the confusion.
    Yeah, I clicked the wrong thing.

    Here's my original response:

    Quote Originally Posted by gravenscroft
    We get the application signatures/definitions from a third party, called Sandvine, but we don't develop or update the signatures ourselves. We typically update the App Control database with each new NG Firewall release.
    Græme Ravenscroft • Technical Marketing Engineer
    ('gram', like the unit of measurement)
    he/him
    Please don't reboot your NGFW.
    How can we make Arista ETM products better?

  7. #17
    Untangler
    Join Date
    May 2008
    Posts
    605

    Default

    Quote Originally Posted by gravenscroft
    We get the application signatures/definitions from a third party, called Sandvine, but we don't develop or update the signatures ourselves. We typically update the App Control database with each new NG Firewall release.

    Wouldn't it make sense update them more often? I don't know how often Sandvine updates thing but I would guess it is more often than Untangle does.

  8. #18
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,762

    Default

    Quote Originally Posted by donhwyo View Post
    Wouldn't it make sense update them more often? I don't know how often Sandvine updates thing but I would guess it is more often than Untangle does.
    We upgrade the signatures on every release. These are not simple regex matches but compiled conditional matches which is not as simple as dropping in config files.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #19
    That Which Lurks Below
    Join Date
    Jul 2018
    Posts
    143

    Default

    Quote Originally Posted by donhwyo View Post
    Wouldn't it make sense update them more often? I don't know how often Sandvine updates thing but I would guess it is more often than Untangle does.
    Nope, it wouldn't. Sandvine probably does update signatures more frequently than we release updates, but we don't receive individual updates from them every time some individual thing changes; we just get a package every so often. That package needs to be tested before it's deployed to live NGFWs, which creates a drain on QA resources.

    Additionally, we'd end up pushing a lot of small updates in a way that ended up pretty far outside our normal versioning scheme and there'd be difficulties in ensuring that every NGFW had the newest version of the package. Ergo, we do it once per release, all at one time.
    Græme Ravenscroft • Technical Marketing Engineer
    ('gram', like the unit of measurement)
    he/him
    Please don't reboot your NGFW.
    How can we make Arista ETM products better?

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2