topic Re: Security Profile/ URL Filter enable but web site bypass blocking in Panorama Discussions

Security Profile/ URL Filter enable but web site bypass blocking

marco.giraldo — Tue, 06 Feb 2024 13:36:53 GMT

Platform: PA-440

SW Version: 10.1.8

I created policy and I enabled Actions/Profile settings/URL Filter with customized one, it locks adult content.

1st attempt

website like chaturbate.com doesn't lock, in Monitor/URL filter appear blocked but I can browse the web site.

2nd attempt

I create an URL filter category with specific web site and it happens the same thing.

Why does it work so strange?

#PA440

Thank you

Re: Security Profile/ URL Filter enable but web site bypass blocking

Claw4609 — Tue, 06 Feb 2024 14:06:57 GMT

Out of curiosity, do you alert on all other url categories? What does your custom url category look like? Do you use a wildcard at some point or just the specific url?

The first thing that comes to mind with the actual url category is its not hearing back quick enough on the first time its seeing this. What happens if you lower the category lookup timeout?

Re: Security Profile/ URL Filter enable but web site bypass blocking

marco.giraldo — Tue, 06 Feb 2024 14:31:30 GMT

Out of curiosity, do you alert on all other url categories? No, logs appear when web site is blocked. What does your custom url category look like? Lock adult category and I added specific URL Do you use a wildcard at some point or just the specific url? Specific URL.

But as you can see the log, web site is blocked but I can browse it nevertheless.

Category lookup timeout (sec) =2

And hold client request for category lookup is checked

Re: Security Profile/ URL Filter enable but web site bypass blocking

Claw4609 — Tue, 06 Feb 2024 14:49:47 GMT

If you also add *.url.com/ to the custom list does it then block as intended? The custom url category may not be blocking all that it needs to. Granted that wouldn't explain why the predefined category isnt blocking it.

If you go into the cli of the firewall and run "test url URL" does the output categorize correctly? Could try clearing the url cache as well: How to clear URL cache in management and data plane? - Knowledge Base - Palo Alto Networks

Re: Security Profile/ URL Filter enable but web site bypass blocking

marco.giraldo — Tue, 06 Feb 2024 15:28:06 GMT

If I try via cli to check the url it appears as adult category but it works again.

In my custom category I tried to add other web site: *.acmilan.com and it locks both http and https.

In https blocked web site doesn't appear custom web page, but it is other topic.

Re: Security Profile/ URL Filter enable but web site bypass blocking

Claw4609 — Tue, 06 Feb 2024 15:30:24 GMT

Without decrypting the traffic the custom web pages are a lot less reliable. But here is a document you could follow: How to Serve a URL Response Page Over an HTTPS Session Without ... - Knowledge Base - Palo Alto Networks

Re: Security Profile/ URL Filter enable but web site bypass blocking

marco.giraldo — Tue, 06 Feb 2024 15:32:26 GMT

This evening we will try to update version.

Re: Security Profile/ URL Filter enable but web site bypass blocking

marco.giraldo — Wed, 07 Feb 2024 07:56:17 GMT

I updated to release 11.1.0 and it doesn't work nevertheless.

Last way is Dynamic Updates

Re: Security Profile/ URL Filter enable but web site bypass blocking

Rick-Rowe — Thu, 08 Feb 2024 16:52:29 GMT

Do you see it in the traffic as tcp 443?

It could be udp QUIC traffic. Block QUIC and see if that helps.