Summary:

Objective: allow user to access Facebook, but not Facebook chat. 

Before making any changes, I was able to use facebook chat feature:

Service:

  • layer 4 only 

VS. 

App ID: 

  • Including layer 4 - traditional stateful firewall 

  • Including signatures - traditional IDS/IPS

  • Decoders - inspects payload, and tunneled traffic  

  • SSL Outbound Decryption - acts like MITM

  • Granular application control - allow facebook, but block facebook chat

    • Pay attention to dependencies ​and implied applications 

  • Now, I am only allowing facebook base, so facebook chat should be blocked by the firewall:

Note, in order to use facebook base, there is no dependency needed, and it's using ssl, web-browsing automatically. However, do not forget to add DNS for this traffic to work.  

  • Update policy:

  • Traffic logs indicating the facebook-chat was blocked by the clean up rule. Note, I created a clean up rule at the bottom of the policy for logging purpose. 

  • Now let's re-enable facebook-chat. Note, facebook-chat is depending on facebook-base (already in place) and mqtt (need to add this application). It also automatically using jabber and web-browsing as well. 

  • Update policy: 

  • Re-test: now I am good again