article How to Block a Specific URL in General Articles

article How to Block a Specific URL in General Articles https://live.paloaltonetworks.com/t5/general-articles/how-to-block-a-specific-url/ta-p/521274 <P><EM><STRONG>This article is based on the discussion "<A href="https://live.paloaltonetworks.com/t5/general-topics/cannot-block-theoxymoron-xyz/m-p/520048" target="_blank" rel="noopener">Cannot block theoxymoron.xyz</A>," by <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/254519">@Brandon54</a> and answered by <A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/184804" target="_blank" rel="noopener">@Adrian_Jensen</A> and <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>. Read on to see the discussion and solution!</STRONG></EM></P> <P> </P> <DIV class="lia-message-template-content-zone"> <BLOCKQUOTE> <P>Hello, I have been trying to block the site theoxymoron.xyz but can not get it to block. I have tried URL filtering with many different versions of the UR, as well as blocking the IP addresses for the site, neither of which worked for me.  We do not use decryption. Any help would be appreciated.</P> </BLOCKQUOTE> <H2><FONT color="#FF6600"><STRONG>Accepted Solution:</STRONG></FONT></H2> <P> </P> <P>Actually, there are many ways to do this. If you are using a Security Policy with a URL Filter policy attached, you can do something like this:</P> <P> </P> <P>First you should have an existing Security Policy for your general internet bound traffic. You may want to use the <STRONG>"Test Policy Match"</STRONG> tool at the bottom of the Security Policy page to verify whether or not traffic is actually using the intended policy.</P> <P> </P> <P>The URL Filter must also be something other than "default" as you can not change the default filter categories.</P> <P> </P> <P class="lia-indent-padding-left-30px"><STRONG>Policies->Security</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>name=Internet Access</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>SrcZone=Trust</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>SrcAddr=CorpInternalIPs</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>DstZone=Untrust</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>DstAddr=any</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>Application=any</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>Service=any</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>Action=Allow</STRONG></P> <P class="lia-indent-padding-left-90px"><STRONG>Profile Settings->URL Filtering=CorpURLFilter</STRONG></P> <P class="lia-indent-padding-left-30px"> </P> <P>Then create a custom URL Category for all domains you want to block (regardless of their other automatic categorization). The entries should only be the FQDN and possibly a URL path (path will only work if you are doing SSL decryption).</P> <P> </P> <P><MARK><STRONG>NOTE:</STRONG> <EM>Without encryption it can be a bit trickier as you only have the SNI to work off of.</EM></MARK></P> <P> </P> <P>The entries should be terminated with a slash or other delimiter to ensure variable expansion doesn't match to unintended paths (see <STRONG><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM79CAE&lang=en_US%E2%80%A9" target="_blank" rel="noopener">examples of using wildcards in URL filtering profiles</A></STRONG>).</P> <P> </P> <P>Be sure to add both the root and wildcard server names as the wildcard will not capture the root by itself.</P> <P>Don't put http/https specific resource indicators:</P> <P> </P> <P class="lia-indent-padding-left-30px"><STRONG>Objects->Custom Objects->URL Category</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>name=Corp-Block</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>sites=</STRONG></P> <P class="lia-indent-padding-left-90px"><STRONG>theoxymoron.xyz/</STRONG></P> <P class="lia-indent-padding-left-90px"><STRONG>*.theoxymoron.xyz/</STRONG></P> <P> </P> <P>Now in your URL Filtering policy you should see your custom URL Category. Set the Site Access to "block":</P> <P> </P> <P class="lia-indent-padding-left-30px"><STRONG>Objects->Security Profiles->URL Filtering</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>name=CorpURLFilter</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>Category=</STRONG></P> <P class="lia-indent-padding-left-90px"><STRONG>ᐁ Custom URL Categories:</STRONG></P> <P class="lia-indent-padding-left-90px"><STRONG>Corp-Block=block,block</STRONG></P> <P class="lia-indent-padding-left-90px"><STRONG>...</STRONG></P> <P class="lia-indent-padding-left-90px"><STRONG>ᐁ Predefined Categories</STRONG></P> <P class="lia-indent-padding-left-90px"><STRONG>... whatever your corporate URL categories filtering policies are...</STRONG></P> <P> </P> <P><SPAN>Your Custom URL Category will override the Predefined Categories settings for anything matching your CorpBlock.</SPAN></P> <P> </P> <P><SPAN>Alternatively, you can block based solely on IP address. </SPAN></P> <P> </P> <P><SPAN>This can be a bit more troublesome as, depending on the hosting, the website may be hosted on more IPs than the PA can track, using fast-flux DNS, may use many FQDN names, or using multiple redirects. This only works when you know the specific FQDN. Unfortunately there isn't a way to wildcard address objects. Start by creating some address objects to block:</SPAN></P> <P> </P> <P class="lia-indent-padding-left-30px"><STRONG>Objects->Addresses</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>name=theoxymoron-xyz</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>type->FQDN=theoxymoron.xyz</STRONG></P> <P class="lia-indent-padding-left-60px"> </P> <P class="lia-indent-padding-left-60px"><STRONG>name=www-theoxymoron-xyz</STRONG></P> <P class="lia-indent-padding-left-60px" data-unlink="true"><SPAN><STRONG>type->FQDN=</STRONG><STRONG>www.theoxmoron.xyz</STRONG> </SPAN></P> <P> </P> <P>Now create a new internet-bound rule for the specific destination IPs you want to block. You don't need a URL filtering policy or other attributes on this as you will just be blocking:</P> <P> </P> <P class="lia-indent-padding-left-30px"><STRONG>Policies->Security</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>name=Internet-BlockDestinations</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>SrcZone=Trust</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>SrcAddr=CorpInternalIPs</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>DstZone=Untrust</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>DstAddr=theoxymoron-xzy,www-theoxymoron-xyz</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>Application=any</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>Service=any</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>Action=Block</STRONG></P> <P> </P> <P>Depending on how you have your firewall setup, and your security posture, you may want to use one or another path. I use both of the above methods (and other methods) for various categories of blocking, FQDN/domain based URL Filter based on URL-root names for general websites, Security Policy general blacklists for various other IPs and networks that should never have any traffic http/https or otherwise.</P> <P> </P> <P>Because it's original categorization is <STRONG>'Proxy Avoidance and Anonymizers'</STRONG>, you can even simply just block this category.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OtakarKlier_0-1667424781111.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45104i264BA51FE21551F8/image-size/large?v=v2&px=999" role="button" title="OtakarKlier_0-1667424781111.png" alt="OtakarKlier_0-1667424781111.png" /></span></P> <P> </P> </DIV> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">Hope this helps!</DIV> <DIV data-extension-version="1.0.4"> </DIV> Tue, 05 Nov 2024 01:42:09 GMT kiwi 2024-11-05T01:42:09Z How to Block a Specific URL https://live.paloaltonetworks.com/t5/general-articles/how-to-block-a-specific-url/ta-p/521274 <P> </P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4"> </DIV> Tue, 05 Nov 2024 01:42:09 GMT https://live.paloaltonetworks.com/t5/general-articles/how-to-block-a-specific-url/ta-p/521274 kiwi 2024-11-05T01:42:09Z