article Nominated Discussion: URL Filtering Profile Set to Allow Ransomware in General Articles

Nominated Discussion: URL Filtering Profile Set to Allow Ransomware

kiwi — Wed, 05 Oct 2022 19:37:51 GMT

This article is based on a discussion,URL set to allow Ransomware, posted by @Schneur_Feldman and answered by @Astardzhiev, @BPry and @Adrian_Jensen. Read on to see the discussion and solution!

Can anyone please explain why Palo Alto Networks would release a Ransomware URL Category and put the default to allow?

It's going to be a pain logging into every single client of ours that uses Palo and changing Ransomware URL Category to block. Is there a way to automate it? What would the CLI command be?

Palo Alto Networks doesn't have visibility into how, why and where you are using your URL filtering profiles. They give you the tools, it is your decision how to use them.

The CLI command would be:

- Locally managed firewall

set profiles url-filtering <profile-name> block ransomware

- Panorama managed firewall

set device-group <device-group-name> profiles url-filtering <profile-name> block ransomware

There are couple of ways to automate such change and depending on your environment:

- Export firewall running config; search and edit the XML defining any URL filtering profile; import, load and commit the edited config

- Similar as above but for Panorama config, modifying any URL filtering in all available device-groups

From your comment it seems you support multiple different clients, which probably require different ways to connect and different credentials. So you are probably better using the XML API. You may want to check python framework, which could save you some time (connecting and authenticating to the device).

To further expand on this, Palo Alto Networks can't identify what you're using a profile for. If I have devices segmented off into a malware research zone and utilize a subset of my machines for those purposes, I absolutely wouldn't want Palo Alto Networks to modify my profiles to block a newly introduced category for a subset of machines where I would actually want to allow the traffic.

If you're managing multiple clients I'd really recommend looking at the benefits of utilizing Panorama to manage all of them, or better yet managing them directly through the XML configuration file and templating some of the configuration yourself if you can't get approved to purchase Panorama. The API here can also be a major help, but if you're not comfortable with it it's not going to be a quick fix since you'll need to be parsing results and using that information in additional changes.

NOTE: The new "ransomware" category is blocked in the "default" URL Filtering category. But as you pointed out correctly it is not blocked by default in custom URL Filtering categories because Palo Alto Networks doesn't know what you are using custom categories for.

Default URL Filtering Profile

Custom URL Filtering Profile

Re: Nominated Discussion: URL Filtering Profile Set to Allow Ransomware

AlexNC — Mon, 12 Dec 2022 15:51:41 GMT

If I may add my 2 cent here.

While I can agree on the fact that Palo Alto is not aware of what a URL filtering profile is used for.

A new category like ransomware should at least be implemented as "alert" for all URL filtering profiles that are detected

Palo Alto is all about security. therefore to me as a customer. I would expect such a URL category to be blocked by default, or that I would have to manually enable that new URL category.

Now in regards to Encrypted-DNS i see how that might be a more tricky case and I could understand to have it as "Alert" only.

But what I would never want from a newly created URL category, to be implemented in my URL Profiles set to "ALLOW" that is by far the worst of them all.

Regards

Alex

Re: Nominated Discussion: URL Filtering Profile Set to Allow Ransomware

kiwi — Tue, 13 Dec 2022 17:24:06 GMT

Hi @AlexNC ,

Thank you for your feedback. I understand your concern.

I do want to emphasize that the new "ransomware" category is blocked in the default URL Filtering profile. Current design sets it to a default allow on custom created URL filtering profiles only (same for all other categories).

One can easily adjust the action on all categories at once and set it to alert for example.

That being said, new categories will also get a default allow action. Customers are informed well in advance and usually a placeholder is created weeks in advance to allow customers to make the necessary adjustments in time.