topic Best Practice for URL policy question in Next-Generation Firewall Discussions

Best Practice for URL policy question

Josh_Morris — Tue, 02 Aug 2022 17:47:56 GMT

So the scenario is we have an app on a server which needs to access several URLs. My colleague setup a custom URL Category and applied it to the policy, but the problem is this isn't working. From my reading on URL Categories, this applies to web-browsing traffic, not URLs themselves as destinations. Meaning if traffic is deemed to be something else other than web-browsing, but still reaches the same URL on port 443, it won't apply the URL category.

So user > web browser > URL would trigger this.

But service > application > URL would not.

The only other way I know how to allow this is by creating a FQDN object for the domain of the resource and allowing that in a policy for the destination, but that opens up way more than the specific resource we want to allow.

What is the best way to restrict application traffic to a URL if we cannot use URL Categories?

Re: Best Practice for URL policy question

dmifsud — Sat, 06 Aug 2022 19:04:35 GMT

Hello,

@Josh_Morris wrote:

but still reaches the same URL on port 443, it won't apply the URL category.

Usually port 443 is used for TLS applications, in which case it should be possible to use with a URL category. We use the SNI in the Client Hello and can also use the certificate CN to determine URL's if the traffic is not decrypted. If the traffic is not decrypted, you can only match custom URL's based on the actual domain and not the full URI path.

If it's completely a non web application, let's say RADIUS for example, then no you can't match with a custom category since it's just IP to IP traffic without a URL. In that case I don't see how an FQDN would allow more access than you want. It will allow access to a specific IP, and you can further lock down the rule through the use of applications and services.

- DM