https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/url-blocking/m-p/550103#M4801 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/304428">@cylusaragao</a>&nbsp;,</P> <P>&nbsp;</P> <P>URL filtering is a Layer 7 mechanism and Cortex operates on Layer 3. For IPs we can suggest using Cortex XDR host firewalls.</P> <P>&nbsp;</P> <P>For URLs, there is no mechanism as such to block the URL. There is one method to create BIOC rules for incoming, outgoing and failed network connections(do not add the raw packets), and then add the domains to the list. Once created, you can add the BIOC to restrictions profiles.&nbsp;</P> <P>&nbsp;</P> <P>Please note, we work on process instances termination and not network termination. Hence the above mentioned step is regressive as any network connection made using browsers for the URL will kill the browser itself and not just the network connection. As a result, all other browser tabs will also shutdown. As a result, this is can be done for 1 or 2 URLs but not a very recommended action. It is recommended to setup a firewall configuration for URL filtering.</P> <P>&nbsp;</P> <P>Hope this helps.&nbsp;</P> Thu, 20 Jul 2023 01:03:56 GMT neelrohit 2023-07-20T01:03:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/url-blocking/m-p/550042#M4795 <PRE id="tw-target-text" class="tw-data-text tw-text-large tw-ta" dir="ltr" data-placeholder="Tradução"><SPAN class="Y2IQFc">How do I block a specific url using edl?</SPAN></PRE> Wed, 19 Jul 2023 17:11:32 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/url-blocking/m-p/550042#M4795 cylusaragao 2023-07-19T17:11:32Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/url-blocking/m-p/550043#M4796 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/304428">@cylusaragao</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thank you for writing to live community!</P> <P>&nbsp;</P> <P>When you configure the Cortex XDR based EDL on firewalls, the firewalls start syncing the data accumulated in form of IPs and URLs from the Cortex XDR EDL list. This list is populated by security investigators and administrators who were able to find some malicious IPs and URL connection from the endpoints during the course of investigation and/or threat hunting.&nbsp;</P> <P>&nbsp;</P> <P>When these IPs and URLs are added to the list, the firewalls(if configured) fetch the data from the Cortex XDR locations where the EDLs are hosted. Generally these EDL location are in format mentioned below:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="100%" height="57px"><A href="https://edl-&lt;subdomain&gt;.xdr.&lt;region&gt;.paloaltonetworks.com/block_list?type=ip" target="_blank">https://edl-&lt;subdomain&gt;.xdr.&lt;region&gt;.paloaltonetworks.com/block_list?type=ip</A><BR /><A href="https://edl-&lt;subdomain&gt;.xdr.&lt;region&gt;.paloaltonetworks.com/block_list?type=domain" target="_blank">https://edl-&lt;subdomain&gt;.xdr.&lt;region&gt;.paloaltonetworks.com/block_list?type=domain</A><BR /><BR /></TD> </TR> </TBODY> </TABLE> <P><BR />Once the firewalls get the IP and domains from the EDL, any network connection associated to those IP and URLs are blocked for all the endpoints which are connected to the firewalls configured with the EDL.</P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>&nbsp;</P> <P>Please mark the response as "Accept as Solution" if it answers your query.</P> Wed, 19 Jul 2023 17:42:07 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/url-blocking/m-p/550043#M4796 neelrohit 2023-07-19T17:42:07Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/url-blocking/m-p/550048#M4797 <PRE id="tw-target-text" class="tw-data-text tw-text-large tw-ta" dir="ltr" data-placeholder="Tradução"><SPAN class="Y2IQFc">I don't have a firewall, is there a way to configure the edl directly in the cortex?</SPAN></PRE> Wed, 19 Jul 2023 18:07:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/url-blocking/m-p/550048#M4797 cylusaragao 2023-07-19T18:07:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/url-blocking/m-p/550103#M4801 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/304428">@cylusaragao</a>&nbsp;,</P> <P>&nbsp;</P> <P>URL filtering is a Layer 7 mechanism and Cortex operates on Layer 3. For IPs we can suggest using Cortex XDR host firewalls.</P> <P>&nbsp;</P> <P>For URLs, there is no mechanism as such to block the URL. There is one method to create BIOC rules for incoming, outgoing and failed network connections(do not add the raw packets), and then add the domains to the list. Once created, you can add the BIOC to restrictions profiles.&nbsp;</P> <P>&nbsp;</P> <P>Please note, we work on process instances termination and not network termination. Hence the above mentioned step is regressive as any network connection made using browsers for the URL will kill the browser itself and not just the network connection. As a result, all other browser tabs will also shutdown. As a result, this is can be done for 1 or 2 URLs but not a very recommended action. It is recommended to setup a firewall configuration for URL filtering.</P> <P>&nbsp;</P> <P>Hope this helps.&nbsp;</P> Thu, 20 Jul 2023 01:03:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/url-blocking/m-p/550103#M4801 neelrohit 2023-07-20T01:03:56Z