topic Re: Parked domain blocked when traffic not decrypted - Custom URL categories not checked with encrypted traffic in Next-Generation Firewall Discussions

Parked domain blocked when traffic not decrypted - Custom URL categories not checked with encrypted traffic

JoseCortijo — Tue, 23 May 2023 11:45:50 GMT

Hi,

I have an issue while trying to whitelist a parked trusted domain https://centaur-horizon.eu/.

The traffic hits a rule with a URL filtering that has Parked set to Blocked but it also has a Custom URL Category called allow-Baseline as Allow and includes the parked domain.

At first, the exception seemed to work but later we realized that for users excluded from the general decryption policy, the exception does not apply and the website appears blocked.

PA seems not to consider the custom URL categories analysing encrypted traffic. in the screenshots, you can see that the detected category is different in both cases.

any idea how to solve this issue while keeping the decryption exception?

thanks

Re: Parked domain blocked when traffic not decrypted - Custom URL categories not checked with encrypted traffic

Raido_Rattameister — Tue, 23 May 2023 12:43:13 GMT

Do you also have *.centaur-horizon.eu/ in the custom URL category?

Users are trying to access www.centaur-horizon.eu not centaur-horizon.eu

Also URL Filtering Profile action "Allow" means "permit traffic but don't log under URL filtering log".

Best is to use action "Alert"

Re: Parked domain blocked when traffic not decrypted - Custom URL categories not checked with encrypted traffic

BPry — Tue, 23 May 2023 14:07:02 GMT

@JoseCortijo,

I agree with @Raido_Rattameister that this should be set to alert instead of allow so that the URL is still logged. Unless you truly don't want the firewall to log any URL that isn't blocked, most people would want to see where the traffic is going and would want the URL logged.

I think the issue that you're running into if I've read your post properly is that you're trying to allow the traffic via the same profile that you have parked domains set to blocked. The most defensive action is always going to win; so if centaur-horizon is matching Parked which you have set to Block and the custom category which is set to Alert or Allow, the traffic will be blocked because that's the most restrictive action that it matches.

You'd want to create a rule above the one this traffic is currently hitting that uses a custom URL profile that matches these excluded domains. That will allow the traffic to function properly without having to worry about the fact that it'll match the Parked category.

Re: Parked domain blocked when traffic not decrypted - Custom URL categories not checked with encrypted traffic

JoseCortijo — Fri, 26 May 2023 16:56:21 GMT

Hi @Raido_Rattameister, @BPry

Finally it worked just adding both www.centaur-horizon.eu and centaur-horizon.eu as the first redirects to the second.

as you recommended I set the custom URL category to Alert to keep track of what is happening.

But I didn't need to create an additional policy rule, a single rule was enough once the www URL was included. now it works as expected for both encrypted and decrypted traffic.

thanks for the support.

Re: Parked domain blocked when traffic not decrypted - Custom URL categories not checked with encrypted traffic

Raido_Rattameister — Fri, 26 May 2023 17:09:08 GMT

Custom categories have higher priority than pre-defined categories.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC