Technical Tip: How to block sending files via the Zalo application while still allowing the chat

tino_p · ‎02-19-2024

Description

This article describes how to block sending files via the Zalo application while still allowing the chat. Zalo has some dedicated servers to store files, so it is necessary to find their addresses (on IP or FQDN) to block them on a Firewall policy.

Scope

FortiGate, Zalo.

Solution

Open Wireshark on the client's computer, sending big files via Zalo. Collect the server's IP address in Statistics. Zalo has several servers, so it is necessary to repeat a few times (with different file types, and different recipients) to collect enough IP addresses.

Add those IP addresses to the Firewall address, and address group.

Define a Firewall policy to Deny traffic based on the Zalo server's IP (as Destination).

As a result, the Zalo application cannot send files anymore. However, the chat/text is still able to be sent out.

The denied traffic is also logged in the Firewall:

Alternatively, in Step 1, it is possible to collect the FQDN of File Server: tt-files-wpa.chat.zalo.me (which was listed in the ServerName extension in TLS layer of the 'Client-Hello' packet.

Then define an FQDN address in Step 2 for that server address and create a DENY firewall policy to block file-transferring traffic:

Technical Tip: How to block sending files via the Zalo application while still allowing the chat

You are leaving our website