Name: #paloaltofirewalltraining | Day 34 | How to block Facebook | Detailed Explanation | Lab
Uploaded: 2025-04-06 19:30:05
Duration: 16 min 11 s

Question 1

How do I block Facebook videos but allow Facebook in Palo Alto firewall?

Accepted Answer

In my lab I first allow only “facebook-base” in the security policy and then I enable SSL Forward Proxy decryption. Without decryption, Facebook videos may still work because the firewall can’t clearly identify the sub-features inside HTTPS. Once decryption is enabled, I can allow facebook-base and block facebook-video (or just not allow it), and then verify from the logs.

Question 2

Why is SSL decryption required to block Facebook chat or videos?

Accepted Answer

Because Facebook runs over HTTPS, and without SSL decryption the firewall mostly sees encrypted traffic and can’t reliably detect the inner Facebook features. When I apply SSL decryption, Palo Alto can identify sub-applications like facebook-video, messenger, games, etc. That’s why I always say: to allow Facebook but block sub-features, decryption is for sure required.

Question 3

What is the difference between facebook-base and facebook-video in App-ID?

Accepted Answer

facebook-base is the main Facebook access, like opening the site and basic browsing. facebook-video is a separate sub-application used when you play videos inside Facebook. In my test, after enabling decryption, only allowing facebook-base stopped the videos, and adding facebook-video made the videos work again.

Question 4

Do I need to allow SSL or web-browsing separately when allowing Facebook in Palo Alto?

Accepted Answer

In the video I show that Facebook applications have implicit dependencies like SSL and web-browsing. So I didn’t explicitly create separate rules for 443/HTTP just for Facebook access. What I did ensure is DNS is allowed, because name resolution is required to reach facebook.com.

Question 5

How do I create a Palo Alto decryption rule for Facebook control?

Accepted Answer

I create a decryption policy with source zone inside, source subnet (like my 192.168.10.0/24), destination zone outside, and I select SSL Forward Proxy. I don’t specify a destination IP because it’s internet traffic. After committing, I retest Facebook and then confirm behavior changes for sub-features.

Question 6

How can I verify what Facebook feature is getting blocked on Palo Alto?

Accepted Answer

I verify from the Monitor logs after testing from the client PC. You can filter and see which App-ID is allowed (facebook-base, facebook-video) and what is getting discarded. In my example, when a feature wasn’t allowed, I could see traffic getting blocked and the behavior on the browser matched it.

Question 7

Facebook works but some features are not loading after enabling decryption—why?

Accepted Answer

That’s expected when you enable decryption and you are only allowing facebook-base. After decryption, the firewall starts seeing the real sub-applications and will block anything you didn’t allow. In my lab, videos stopped loading until I explicitly allowed facebook-video.

#paloaltofirewalltraining | Day 34 | How to block Facebook | Detailed Explanation | Lab

🛍️ Products Mentioned (2)

Paloaltonetworks Product

For Palo Alto Documentation

About This Video

Frequently Asked Questions

🎬 More from Bikash's Tech