https://live.paloaltonetworks.com/t5/next-generation-firewall/service-url-category/m-p/585645#M3101 <P>Also the traffic I am allowing from an app perspective I see going to MS IPs using Windows-Defender-atp-endpoint but see session end as tcp-rst-from-server.&nbsp;</P> Thu, 02 May 2024 14:34:06 GMT S_Williams901 2024-05-02T14:34:06Z https://live.paloaltonetworks.com/t5/next-generation-firewall/service-url-category/m-p/585563#M3093 <P>Microsoft Defender has a lot of endpoints it seems. I started a custom URL list with all the URLs needed for defender, created a policy in a global device template and said "Allow any source, any destination, using SSL, Web-Browsing, and windows defender atp app, using application default. I put the URL list I created in URL category area and didn't select a URL filter profile.&nbsp;</P> <P>&nbsp;</P> <P>It seems I have users hit things outside the URL list I created. I contacted TAC and they said its because the way the policy flow is for traffic. Basically left to right in the tabs on the policy. So what is the point or URL category exactly if it wont restrict your traffic to just the URL list I created?</P> Wed, 01 May 2024 18:18:13 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/service-url-category/m-p/585563#M3093 S_Williams901 2024-05-01T18:18:13Z https://live.paloaltonetworks.com/t5/next-generation-firewall/service-url-category/m-p/585612#M3096 <P>are users successfully accessing things or are you seeing logs for things you didn't expect?</P> <P>&nbsp;</P> <P>the way a rule like this works, is to allow the TCP handshake for everything that matches your first tuples: source, destination, port (you need to create a session first, before you get to the URL bit).</P> <P>When the HTTP GET comes around (or the SNI can be intercepted), there is another rulebase lookup for this session</P> <P>if the URL matches your criteria, it will hit, if it doesn't it will go further down the list to find a new match.</P> <P>If a match is found, that new rule will take over (and your log will reflect that after the session is finished)</P> <P>&nbsp;</P> <P>now in some cases there could be 'anomalies' that could result in weird logs:</P> <P>if for example the http get goes out (for a url you did not intend to hit this rule) but the server stops responding, the session will eventually die and no new rule will be used to continue the session, so the log is written on the rule that allowed the initial handshake.</P> <P>&nbsp;</P> <P>There could be logical explanation why you're seeing these logs</P> Thu, 02 May 2024 08:30:47 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/service-url-category/m-p/585612#M3096 reaper 2024-05-02T08:30:47Z https://live.paloaltonetworks.com/t5/next-generation-firewall/service-url-category/m-p/585642#M3099 <P>I see lots of tcp-rst-from-client, but sometimes I see a tcp-fin from a non-microsoft IP, but maybe they are redirects.&nbsp;</P> <P>&nbsp;</P> Thu, 02 May 2024 14:04:50 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/service-url-category/m-p/585642#M3099 S_Williams901 2024-05-02T14:04:50Z https://live.paloaltonetworks.com/t5/next-generation-firewall/service-url-category/m-p/585645#M3101 <P>Also the traffic I am allowing from an app perspective I see going to MS IPs using Windows-Defender-atp-endpoint but see session end as tcp-rst-from-server.&nbsp;</P> Thu, 02 May 2024 14:34:06 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/service-url-category/m-p/585645#M3101 S_Williams901 2024-05-02T14:34:06Z