topic Re: Can not block TikTok in Firewall and Security Management

Can not block TikTok

Caez__ — Mon, 27 Dec 2021 17:18:57 GMT

Hi everyone.

I'm having some problems blocking tiktok. Already block the app and domains with an Access Control Policy, in a way it worked but I still can see like 50% of the videos on the app. Is there something else that I can do?

Logs show that FW is blocking some traffic but the app uses different domains and cdn's to reach tiktok. Is there something else that I can do?

Re: Can not block TikTok

the_rock — Mon, 27 Dec 2021 18:07:09 GMT

What I do and ALWAYS works is add custom app with *domain*

So, in your case just add custom site as *tiktok* and block it. Sometimes I found I may need to add any existing applications if they exist , but thats not often.

Andy

Re: Can not block TikTok

Caez__ — Mon, 27 Dec 2021 19:27:23 GMT

This is the rule that I have created for this:

I add on the tiktok custom site the app domains that I found here: https://www.netify.ai/resources/applications/tiktok . Is this what works for you? This is the config that blocks around half of the videos from the app for me.

Re: Can not block TikTok

the_rock — Mon, 27 Dec 2021 19:31:41 GMT

I attached how I would create custom site...not sure if you did it the same.

Andy

Re: Can not block TikTok

Caez__ — Mon, 27 Dec 2021 20:03:02 GMT

Yes, config is the same, you can find it attached.

Still, some videos are passing

You think there's something else that I can do?

Re: Can not block TikTok

the_rock — Mon, 27 Dec 2021 20:04:35 GMT

In that case, you may need to examine the logs carefully and see why that happens. Do you have https inspection enabled or not?

Andy

Re: Can not block TikTok

Caez__ — Mon, 27 Dec 2021 21:36:06 GMT

I don't have https inspection. What I see on the logs is that the App & URL Policy for TikTok (7) is actually blocking traffic, but the App & URL Cleanup rule (16) is matching some traffic and letting it pass, I think this would explain why I can see some videos but I don't know how to fix it. Cleanup rule is configured to let pass all traffic.

Here you can find attached some evidence.

Re: Can not block TikTok

the_rock — Tue, 28 Dec 2021 00:32:21 GMT

In some cases, you may need to add the IP addresses to block as well.

Re: Can not block TikTok

G_W_Albrecht — Tue, 28 Dec 2021 10:48:21 GMT

Cleanup rule is usually configured to drop all traffic not matched by other rules - that is how it got the name 8).

Re: Can not block TikTok

the_rock — Tue, 28 Dec 2021 12:42:32 GMT

True that my friend :-). But, in all seriousness, it is recommended by CP to allow all at the bottom of ordered url and app control layer.

Re: Can not block TikTok

Caez__ — Tue, 28 Dec 2021 14:54:15 GMT

That's how we have configured the url and app layer, so the traffic pass the rule that blocks tiktok (even when other traffic to the same IP addres is being blocked for that policy like I mentioned before) and goes all the way down to cleanup rule that allows all. This happens with a lot of IP addresess of tiktok, not just the one from the capture "Permit and block to same IP" that I attached before. Would you recommend to trace and block all those IP addresess?

Re: Can not block TikTok

the_rock — Tue, 28 Dec 2021 14:58:39 GMT

Yes, I would. Sadly, I had to do same for customers in some cases. Even TAC suggested the same. You can open support case to see if they suggest anything else though.

Re: Can not block TikTok

G_W_Albrecht — Tue, 28 Dec 2021 21:18:45 GMT

I know that - but i would call it PassAll rule...

Re: Can not block TikTok

the_rock — Wed, 29 Dec 2021 13:37:13 GMT

I will tell you what I find works the best, in my opinion...now, this might not be what most customers would do, but works well from what I experienced. Instead of say, creating another url and app control ordered layer, I always end up creating section towards the top of built in access layer with url and app control rules you need. The downside to it could be the fact that you have to enable those blades in this ordered layer, so acceleration might not work as well, but otherwise, I honestly had not seen any major issues with it.

Re: Can not block TikTok

genisis__ — Fri, 17 Mar 2023 09:54:25 GMT

That's what I've always done, and agreed Checkpoint recommends that as well, so your application rules really should be block specific's and then allow everything else (as a generic rule of thumb).

Re: Can not block TikTok

genisis__ — Fri, 17 Mar 2023 09:59:30 GMT

Just a quick note - Checkpoint have added tiktok as an application

Re: Can not block TikTok

Cyber_Serge — Tue, 29 Aug 2023 14:04:29 GMT

I tried this method but this requires https inspection to work 100%. We see lot of traffic identified as TikTok and blocked, but the website still works and video still plays; Surely you'd think the easy solution is to enable https inspection, but that's not possible because we are talking about a wifi network. Users cannot be forced to download and install certificate for https inspection to work (especially on the mobile devices).

We are able to block correctly using Harmony Mobile following the sk; but that's only managed devices. Devices not managed/guest devices is the concern here.

Interested in hearing some other ideas or suggestions. Thanks

Re: Can not block TikTok

Cyber_Serge — Thu, 31 Aug 2023 19:58:07 GMT

upon further investigation, we found out this is an issue and open a support case; it's blocking on some gateways but in one specific network and the gateway the traffic going out, it is not blocked.