https://live.paloaltonetworks.com/t5/general-topics/allow-a-more-specific-path-of-a-blocked-url/m-p/458841#M101942 <P>Hi All,</P><P>&nbsp;</P><P>I'm trying to determine if this is possible.</P><P>&nbsp;</P><P>We are blocking abc.company.com via an entry in a custom url category which is applied to the internet policy via a URL filtering profile.</P><P>&nbsp;</P><P>I need to allow abc.company.com/specificpath while still blocking all other paths.&nbsp;</P><P>&nbsp;</P><P>Nothing I've tried works. We have a whitelist rule above the main internet rule that we can put URLs in but I cannot get the firewall to match on the domain/path. Only on the domain.&nbsp; So when I put the domain/path into the override rule, it doesn't match and continues on down to the main internet rule where it gets blocked.&nbsp; Likewise, I have tried putting the domain/path into the override tab of the URL filtering profile directly and that doesn't work either.</P><P>&nbsp;</P><P>Can the firewall match against domain/path or does only match against the domain and subdomain?</P><P>&nbsp;</P><P>Thanks for any insight anyone might have.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 14 Jan 2022 21:18:33 GMT epeeler 2022-01-14T21:18:33Z https://live.paloaltonetworks.com/t5/general-topics/allow-a-more-specific-path-of-a-blocked-url/m-p/458841#M101942 <P>Hi All,</P><P>&nbsp;</P><P>I'm trying to determine if this is possible.</P><P>&nbsp;</P><P>We are blocking abc.company.com via an entry in a custom url category which is applied to the internet policy via a URL filtering profile.</P><P>&nbsp;</P><P>I need to allow abc.company.com/specificpath while still blocking all other paths.&nbsp;</P><P>&nbsp;</P><P>Nothing I've tried works. We have a whitelist rule above the main internet rule that we can put URLs in but I cannot get the firewall to match on the domain/path. Only on the domain.&nbsp; So when I put the domain/path into the override rule, it doesn't match and continues on down to the main internet rule where it gets blocked.&nbsp; Likewise, I have tried putting the domain/path into the override tab of the URL filtering profile directly and that doesn't work either.</P><P>&nbsp;</P><P>Can the firewall match against domain/path or does only match against the domain and subdomain?</P><P>&nbsp;</P><P>Thanks for any insight anyone might have.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 14 Jan 2022 21:18:33 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-a-more-specific-path-of-a-blocked-url/m-p/458841#M101942 epeeler 2022-01-14T21:18:33Z https://live.paloaltonetworks.com/t5/general-topics/allow-a-more-specific-path-of-a-blocked-url/m-p/458887#M101948 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/8533">@epeeler</a>,</P> <P>Do you have decryption enabled on this traffic so that the firewall can actually see the full URL?&nbsp;</P> Sat, 15 Jan 2022 06:41:10 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-a-more-specific-path-of-a-blocked-url/m-p/458887#M101948 BPry 2022-01-15T06:41:10Z https://live.paloaltonetworks.com/t5/general-topics/allow-a-more-specific-path-of-a-blocked-url/m-p/459355#M101988 <P>I was trying to something similar before and the simple answer is that you can not using a custom URL category alone. When a URL matches multiple categories the most severe action takes precedence. See the following:</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC</A></P><P>&nbsp;</P><P>So you need to have abc.company.com in your block customer category. The put&nbsp;<SPAN>abc.company.com/specific path in the override list of the Security Profiles -&gt; URL Filtering profile applied to your Security Policy.</SPAN></P><P>&nbsp;</P><P><SPAN>Edit: I just re-read your post and realized you did say that you had already put the more specific in the override list. If it is blocking based on the custom block list, I would assume it is handling SSL decrypt successfully. Perhaps the pattern match in the override is not correctly terminated?</SPAN></P> Tue, 18 Jan 2022 21:43:18 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-a-more-specific-path-of-a-blocked-url/m-p/459355#M101988 Adrian_Jensen 2022-01-18T21:43:18Z https://live.paloaltonetworks.com/t5/general-topics/allow-a-more-specific-path-of-a-blocked-url/m-p/465502#M102596 <P>Sorry for the late reply. Thanks to both for the response and information.&nbsp;</P> Mon, 14 Feb 2022 14:00:44 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-a-more-specific-path-of-a-blocked-url/m-p/465502#M102596 epeeler 2022-02-14T14:00:44Z