topic Re: EDL and Custom URL in Next-Generation Firewall Discussions

EDL and Custom URL

Ramakrishnan — Wed, 29 Jun 2022 19:59:14 GMT

Hi There,

Problem Statement : We have custom URL lists(To allow Azure Endpoints only), also we have EDL(With Minemeld) integrated.

As per our Infosec Policy we should not use Minemeld feed for Microsoft as it has some of many wildcard. So desperately creating custom URL for each MSFT end points(viz Defender, AAD heath etc,,)

But some of URL is not working. I couldn't fetch the exact URL which is getting blocked(its default implementation PAN that, unlisted URLs will not show in URL filtering tab...? but in the Traffic Tab I am seeing very peculiar;

For example: As per below screen shot, Why session is starting the Rule which i configured and fall back to Deny (reset-both with "default deny") category showing EDL-Azure-URL(In fact we have not configured "EDL-Azure-URLs" in the policy.

Re: EDL and Custom URL

SutareMayur — Thu, 30 Jun 2022 08:59:35 GMT

Hi @Ramakrishnan ,

For the policies if traffic log at session START is enabled, there are chances that the logs will show matching incorrect policy. This is because, when request reaches the firewall interface, the first matching policy in the set will be matched to allow traffic and create session but still at backend, firewall is checking for matching the security profile configurations. So the logs at session END will show the correct rules once all the checks are done by the firewall. Kindly refer this article for more details.

Coming to your 2^nd query that you are not able to see logs under URL filtering tabs. To view the logs, you need to make sure that URL category action is set to alert to log the URL filtering logs.

Hope it helps!