topic VPP Block IP and URL Filtering in Advanced Threat Prevention Discussions

VPP Block IP and URL Filtering

ce1028 — Mon, 23 Mar 2020 17:11:10 GMT

I have two questions, one of vulnerability protection and the other on URL Filtering

For Vulnerability Protection Profiles, is there any downside, such as performance when using the action "Block IP" ?

For URL Filtering, when you're allowing inbound traffic into the firewall from the internet, does it make sense/recommended to add a URL Filtering profile to those security rules? I would think no, but asking anyway.

Re: VPP Block IP and URL Filtering

reaper — Mon, 23 Mar 2020 17:28:31 GMT

There shouldn't be a downside to using block IP

Only case I think would cause issues is if you hit on some signature that thousands of hosts are using, causing all of them to get added. It could cause your block IP memory to run out of space to write entries, but that's just theoretical

For URL filtering you could create a custom category with all your internal fqdns and block everything else. Any additional layer is a good layer 😉

Re: VPP Block IP and URL Filtering

ce1028 — Mon, 23 Mar 2020 17:56:29 GMT

@reaper thanks for reply.

If that theoretical scenario happened, what action would the firewall take? Would it still block the threat, even if it had no memory to block the IP?

The custom URL list is a very good idea, I was thinking of a scenario where you have a web server and Palo url database changes and your site get's categorized as malware or unknown or another category you typically block, you would essentially block your customers from accessing the site

Re: VPP Block IP and URL Filtering

reaper — Mon, 23 Mar 2020 17:59:19 GMT

Hi @ce1028 yes, first action is to mitigate the threat, so drop packet at least

A custom category has priority over the URL filtering database so you won't block yourself while preventing all other requests from coming in

Re: VPP Block IP and URL Filtering

ce1028 — Mon, 23 Mar 2020 18:10:46 GMT

thanks @reaper , good to know.

Yes, definitely about url filtering. I was referring to using a url profile without the custom allows

Re: VPP Block IP and URL Filtering

reaper — Mon, 23 Mar 2020 18:12:48 GMT

Without the custom category I wouldn't use URL filtering as it could cause issues if your site gets recategorized

Re: VPP Block IP and URL Filtering

ce1028 — Mon, 23 Mar 2020 18:44:27 GMT

@reaper thanks much. One more question, when you're using the action Block IP (or even Deny or one of the reset options), is setting packet capture to single or extended useless? Documentation says it won't capture unless action is alert or allow, yet it suggests setting extended for critical, high medium?

Re: VPP Block IP and URL Filtering

reaper — Mon, 23 Mar 2020 19:21:06 GMT

Single packet.will capture the (1) offending packet, while extended will capture more packets if possible (packets leading up to the hit and any resends afterward)

Re: VPP Block IP and URL Filtering

ce1028 — Mon, 23 Mar 2020 20:14:01 GMT

Yes, I am aware of that much, but if the action is drop/block etc, will it be able to capture any packets?

Re: VPP Block IP and URL Filtering

reaper — Mon, 23 Mar 2020 20:16:31 GMT

Yes it will