topic Re: Can PAN support inbould traffic filtering based on URI? in Automation/API Discussions

Can PAN support inbould traffic filtering based on URI?

John.ZHANG — Sat, 01 Sep 2012 14:05:08 GMT

Environment:

- There is a web server resides on DMZA. Two application URIs: www.url.com/service_1 and www.url.com/service_2, have configured on this web server.

- The DMZA is protected by PAN in vwire mode.

Can PAN fulfill following requirement? If yes, could you please let me know the configuration?

- www.url.com/service_1 can be accessed from the Internet without limitation.

- www.url.com/service_2 can only be accessed from the Internet if the source IP is x.x.x.x

Thanks a lot.

Re: Can PAN support inbould traffic filtering based on URI?

UhMayYeah — Sat, 01 Sep 2012 19:23:41 GMT

Hello John,

You can create Custom-Application based on the URI path.

Here is a documentation explaining things.

https://live.paloaltonetworks.com/docs/DOC-2015

-Ameya

Re: Can PAN support inbould traffic filtering based on URI?

mikand — Sun, 02 Sep 2012 17:28:11 GMT

If im not mistaken you can do this in 3 different ways in a PA device:

1) Setup a custom URL-category which you attach to each rule (rule1 will allow srcip:any to access service1 and rule2 will only allow srcip:x.x.x.x to access service2).

2) Setup a custom APP-ID that will be identified when each service url is being used.

3) Setup a custom IPS signature to trigger if the request doesnt match, and use this custom IPS signature only for the two rules above.

You could of course also combine the methods mentioned above.

The good part with using method 2 above (as example) is that your reports will have these requests as their own line (appid:service1 and appid:service2) - the bad part is that you probably have other files on your webserver which each service will use (lets say background pictures or such using /pics as uri or so) and in those cases you will need to look at several appids to find out for example how much traffic each service uses.