https://live.paloaltonetworks.com/t5/panorama-discussions/unable-to-add-url-based-external-dynamic-list-as-destination-in/m-p/539763#M1493 <P>I have tested a PBF rule using an FQDN as a destination and it works fine. T<SPAN>he firewall resolves the IP addresses associated with that FQDN, and then makes the routing decision based on those IP addresses. Does the firewall use different methods to handle URL-based EDLs?</SPAN></P> Sat, 22 Apr 2023 00:39:14 GMT Stellar 2023-04-22T00:39:14Z https://live.paloaltonetworks.com/t5/panorama-discussions/unable-to-add-url-based-external-dynamic-list-as-destination-in/m-p/539751#M1491 <P><SPAN>I am attempting to use an External Dynamic List (EDL) with a URL-based list as the destination in a Policy-Based Forwarding (PBF) rule on Panorama. However, when I try to add the EDL as the destination in the PBF rule, I am not able to see the URL-based list EDL in the destination list. I have checked that the EDL is configured correctly, assigned to the correct device group. Additionally, I have verified that the license for Threat Prevention includes the URL filtering feature. What could be causing this issue and how can I resolve it?</SPAN></P> Fri, 21 Apr 2023 22:41:22 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/unable-to-add-url-based-external-dynamic-list-as-destination-in/m-p/539751#M1491 Stellar 2023-04-21T22:41:22Z https://live.paloaltonetworks.com/t5/panorama-discussions/unable-to-add-url-based-external-dynamic-list-as-destination-in/m-p/539762#M1492 <P>You can't route traffic based on URL.</P> <P>Web traffic is running over TCP.</P> <P>In case of TCP URL is in 4th packet (in best case if it is http) or later (if it is https).</P> <P>&nbsp;</P> <P>SYN</P> <P>SYN-ACK</P> <P>ACK</P> <P>HTTP GET &lt;&lt;&lt; URL is here</P> <P>&nbsp;</P> <P>Routing decision needs to be done on first packet.</P> <P>So you can't use URL to make routing decisions.</P> Fri, 21 Apr 2023 23:16:38 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/unable-to-add-url-based-external-dynamic-list-as-destination-in/m-p/539762#M1492 Raido_Rattameister 2023-04-21T23:16:38Z https://live.paloaltonetworks.com/t5/panorama-discussions/unable-to-add-url-based-external-dynamic-list-as-destination-in/m-p/539763#M1493 <P>I have tested a PBF rule using an FQDN as a destination and it works fine. T<SPAN>he firewall resolves the IP addresses associated with that FQDN, and then makes the routing decision based on those IP addresses. Does the firewall use different methods to handle URL-based EDLs?</SPAN></P> Sat, 22 Apr 2023 00:39:14 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/unable-to-add-url-based-external-dynamic-list-as-destination-in/m-p/539763#M1493 Stellar 2023-04-22T00:39:14Z https://live.paloaltonetworks.com/t5/panorama-discussions/unable-to-add-url-based-external-dynamic-list-as-destination-in/m-p/539764#M1494 <P>If you use FQDN based list then domain is resolved to IP and traffic is routed based on this destination IP (first packet).</P> <P>If you se URL based list then firewall does not intercept TCP 3way handshake and takes action when it sees website URL passing by in either HTTP GET packet (if clear text) or from certificate (when ssl).</P> Sat, 22 Apr 2023 00:52:42 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/unable-to-add-url-based-external-dynamic-list-as-destination-in/m-p/539764#M1494 Raido_Rattameister 2023-04-22T00:52:42Z