topic Policy destination field when using URL filtering in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/policy-destination-field-when-using-url-filtering/m-p/1235718#M6183 <P>I need to write a rule that looks like this</P> <P>&nbsp;</P> <P>Source zone: Internal</P> <P>&nbsp;</P> <P>Destination zone: External</P> <P>&nbsp;</P> <P>Source address: 10.38.105.201</P> <P>&nbsp;</P> <P>Destination address: This is where it is tricky, I need the destination addresses to be *.myqlink.biz *.med.myqlink.net *.internapcdn.net but am aware you cannot use wildcards for FQDN objects, and needs to be done via the custom URL category/URL profile. So would this be “any”?</P> <P>&nbsp;</P> <P>Application: any</P> <P>&nbsp;</P> <P>Destination port: tcp-1433</P> <P>&nbsp;</P> <P>Action: allow</P> <P>&nbsp;</P> <P>My question to you I guess is as this is an allow rule is it safe to put “any” in the destination address field? Wouldn’t that allow 10.38.105.201 to any destination external? I just want to allow that source to those three wildcards via tcp-1433 and that is it.</P> <P>&nbsp;</P> <P>As well as you create the custom URL category, add those 3 wildcards and maybe a few more for their subdomains, hit ok. Move to URL filtering security profile create one and go to the custom URL category in the security profile and hit alert to have it log to panorama. Then destination “any” in the ACLs destination address field? &lt; of course adding the new URL profile I had just created on the rule? Or is that completely wrong?</P> <P>&nbsp;</P> <P>I just don’t want to allow that 10. IP to anything and everything external, and we just don’t know what the beginning of the domains will be.</P> <P>&nbsp;</P> <P>Here are the documents from the vendor, I’ve also uploaded those photos to the discussion&nbsp;</P> <P>&nbsp;</P> <P>Ports: <A href="https://imgur.com/a/MVH2lG0" target="_blank">https://imgur.com/a/MVH2lG0</A></P> <P>URLs: <A href="https://imgur.com/a/rxnow-cabinet-requirements-tHx2lua" target="_blank">https://imgur.com/a/rxnow-cabinet-requirements-tHx2lua</A></P> Fri, 08 Aug 2025 13:10:57 GMT Kc_Dodds 2025-08-08T13:10:57Z Policy destination field when using URL filtering https://live.paloaltonetworks.com/t5/next-generation-firewall/policy-destination-field-when-using-url-filtering/m-p/1235718#M6183 <P>I need to write a rule that looks like this</P> <P>&nbsp;</P> <P>Source zone: Internal</P> <P>&nbsp;</P> <P>Destination zone: External</P> <P>&nbsp;</P> <P>Source address: 10.38.105.201</P> <P>&nbsp;</P> <P>Destination address: This is where it is tricky, I need the destination addresses to be *.myqlink.biz *.med.myqlink.net *.internapcdn.net but am aware you cannot use wildcards for FQDN objects, and needs to be done via the custom URL category/URL profile. So would this be “any”?</P> <P>&nbsp;</P> <P>Application: any</P> <P>&nbsp;</P> <P>Destination port: tcp-1433</P> <P>&nbsp;</P> <P>Action: allow</P> <P>&nbsp;</P> <P>My question to you I guess is as this is an allow rule is it safe to put “any” in the destination address field? Wouldn’t that allow 10.38.105.201 to any destination external? I just want to allow that source to those three wildcards via tcp-1433 and that is it.</P> <P>&nbsp;</P> <P>As well as you create the custom URL category, add those 3 wildcards and maybe a few more for their subdomains, hit ok. Move to URL filtering security profile create one and go to the custom URL category in the security profile and hit alert to have it log to panorama. Then destination “any” in the ACLs destination address field? &lt; of course adding the new URL profile I had just created on the rule? Or is that completely wrong?</P> <P>&nbsp;</P> <P>I just don’t want to allow that 10. IP to anything and everything external, and we just don’t know what the beginning of the domains will be.</P> <P>&nbsp;</P> <P>Here are the documents from the vendor, I’ve also uploaded those photos to the discussion&nbsp;</P> <P>&nbsp;</P> <P>Ports: <A href="https://imgur.com/a/MVH2lG0" target="_blank">https://imgur.com/a/MVH2lG0</A></P> <P>URLs: <A href="https://imgur.com/a/rxnow-cabinet-requirements-tHx2lua" target="_blank">https://imgur.com/a/rxnow-cabinet-requirements-tHx2lua</A></P> Fri, 08 Aug 2025 13:10:57 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/policy-destination-field-when-using-url-filtering/m-p/1235718#M6183 Kc_Dodds 2025-08-08T13:10:57Z Re: Policy destination field when using URL filtering https://live.paloaltonetworks.com/t5/next-generation-firewall/policy-destination-field-when-using-url-filtering/m-p/1236156#M6214 <P>this will allow the client to set up 'initial' sessions towards basically anywhere as long as it's using port 1433, but the category lookup mechanism will determine pretty quickly if this session matched the right category or not</P> <P>&nbsp;</P> <P>if it doesn,t, the rule will release the session and a new security rule lookup will happen. if the session no longer matches any rules that allow it, it will be dropped</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>so while yes, you'll allow tcp handshakes to basically the entire internet, url category lookup should catch up quick before any 'rogue' applications can connect</P> Mon, 18 Aug 2025 09:47:18 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/policy-destination-field-when-using-url-filtering/m-p/1236156#M6214 reaper 2025-08-18T09:47:18Z