topic Re: URL filtering issue in Next-Generation Firewall Discussions

URL filtering issue

hemant16031981 — Fri, 16 Sep 2022 17:31:56 GMT

Hello All,

I have a policy on palo as below:

Source : A --> going to internet --

destination address --> any

Application --> ssl

service --> aplication default

custome URL category -- > allowed google.com

what would be allowed as per this policy

2nd scenario

Source : A --> going to internet --

destination address --> any

Application --> google-base

service --> aplication default

custome URL category -- > allowed google.com

what would be allowed as per this policy

Thanks for your help!

Re: URL filtering issue

Adrian_Jensen — Sat, 17 Sep 2022 00:57:35 GMT

The first scenario would allow connections containing SSL traffic (not just HTTPS, but any data stream wrapped in SSL) to a URL allowed in the custom URL category. Note: Using SSL can get you in trouble when thinking this is HTTPS data. You might put in an inbound allow "SSL" to your DMZ'd web server assuming that this will just allow HTTPS, when in fact it will allow SMTPS, IMAPS, FTPS, etc. to your DMZ server.

The second scenario would allow connections identified as google-base (Google app login, basic account services, etc.) to URLs in the custom URL category. Per the application description:

This App-ID covers common service and infrastructure traffic generated by all Google services and applications. To safely enable Google's services and applications, this App-ID is required to be permitted by policy.

Both scenarios may suffer from problems in that traffic will not initially be detected as ssl or google-base and allowed as it takes several packets to identify an application and the detection may change as more packets traverse the firewall, so a connection initially identified as SSL to a Google URL may become google-hangouts as more traffic is processed. So you may need some other rule to initially allow traffic thru. Additionally, you may need to have decryption turned on to effectively identify/match your URL categories.

If you just want to allow all Google web services (and you want to specifically pass Google traffic thru a specific rule, instead of a general internet access rule), you may do better with a security policy like:

Source : A --> going to internet --

destination address --> any

Application --> web-browsing, ssl

service --> application default

custom URL category -- > allowed google.com

action --> allow

If you intention is to allow Google traffic, but you want to deny Google file storage, then a general access rule plus:

Source : A --> going to internet --

destination address --> any

Application --> google-cloud-storage, google-docs, google-drive-web

service --> application default

action --> deny

Re: URL filtering issue

hemant16031981 — Sat, 17 Sep 2022 07:13:37 GMT

Thanks for the information you provided...

My requirement is to allow specific website only (google.com) and only on secure port, want to use custom url category in the security policy. how the policy look like then ?

Thanks

Re: URL filtering issue

Adrian_Jensen — Sat, 17 Sep 2022 20:39:43 GMT

If you just want to allow google.com HTTPS services then a slight variation of the first scenario would be:

Source : A --> going to internet --

destination address --> any

Application --> ssl

service --> service-https

custom URL category -- > allowed google.com

action --> allow

Just be aware that Google may use domains other than google.com for some web calls.