How to block WhatsApp Web and App by Access Rules

Description

When traditional methods such as App Control, and Content Filter Service along with DPI-SSL fail to effectively block WhatsApp Web and the desktop application, the solution proposed in this guide serves as a viable alternative.

Cause

The cause is related most of the times with the number of ports and FQDN/IP addresses WhatsApp communicate with, which makes it more difficult to get it blocked.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.


  • Step 1. Add address objects with the following list:

Refer to the link: Adding an Address Object

FQDNs:

mmg.whatsapp.net

pps.whatsapp.net

media-iad3-2.cdn.whatsapp.net

media-iad3-1.cdn.whatsapp.net

media-lga3-1.cdn.whatsapp.net

media-lga3-2.cdn.whatsapp.net

crashlogs.whatsapp.net


msedge.api.cdp.microsoft.com

config.edge.skype.com


IPs:

20.99.184.37

157.240.229.61

3.33.221.48

52.143.87.28

52.148.148.114

3.33.252.61

20.112.56.82

20.189.173.6

52.226.139.180

15.197.206.217


FQDNs (optional):

wa.me

whatsapp-plus.info

whatsapp-plus.me

whatsapp-plus.net

whatsapp.cc

whatsapp.com

whatsapp.info

whatsapp.net

whatsapp.org

whatsapp.tv

whatsappbrand.com

NOTE: The FQDNs and IP addresses seen are a result of a LAB environment, that were collected one by one through a packet capture that was running during the LAB test. Moreover, the IP addresses  are responsible to prevent the QR Code to pop-up.


  • Step 2. Now, add those FQDNs and IP addresses into a Group creating an Address Group.

Refer to the link: Creating Address Groups

  • Step 3. Add port services, and follow the same as step 2 creating a group of services.

Refer to the link: Adding Custom IP Type Services

Refer to the link: Adding Custom Service Groups

Port Services:


TCP 80

TCP 443

TCP 5222

TCP 5223

TCP 5228

TCP 5242
 

  •  Step 4. It's time to create the Block Access Rule from LAN to WAN:

Image

TIP: If this rule needs to be applied for specific group of users, the next tab "Users & TCP/UDP provides the right fields to include/exclude the users or group of users.


Image

TIP: RESOLUTION FOR SONICOS 6.5 FOLLOWS THE SAME PATTERN.

Related Articles

  • TOTP based two-factor authentication for management by Admin user using SonicOS API
    Read More
  • Two-factor authentication using TOTP for Management by User with admin privileges
    Read More
  • How do I configure Two-factor authentication for the Admin login with TOTP?
    Read More

Categories

Firewalls
NSa Series
Networking
Firewalls
TZ Series
Networking
Firewalls
NSv Series
Networking
not finding your answers?
Ask the Community
was this article helpful?
YesNo