topic Re: URL allow list for some of the subdomains in General Topics

URL allow list for some of the subdomains

alextsa — Tue, 22 Feb 2022 14:48:19 GMT

Hi all

I want to limit the user to access the company's sharepoint only, but not other sharepoint from other tenant or even the sharepoint from personal account. Then I found the below KB (section 6) and show how to use allow list in the URL filtering profile to block *.sharepoint.com but allow company.sharepoint.com. But I cannot find the allow list section in PAN-OS 10.x, so anyone know how to configure the URL filtering profile to allow some subdomains (say companyA.sharepoint.com and companyA-myfiles.sharepoint.com) but not other sharepoint domain (*.sharepoint.com)

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTDCA0

Best regards

Alex Tsang

Re: URL allow list for some of the subdomains

batd2 — Tue, 22 Feb 2022 15:44:49 GMT

@alextsa There is no specific allow/block lists as such. You create a custom URL categories in "Objects > Custom Objects > URL Category". One for the custom URLs you like to block and one for allow. Then under your URL filtering profile, you assigned the required actions - block and alert respectively.

Re: URL allow list for some of the subdomains

Adrian_Jensen — Tue, 22 Feb 2022 15:56:29 GMT

Note that block takes precedence over allow though, so a generic block *.sharepoint.com/ filter will block the company Sharepoint even though acme.sharepoint.com/ is in an allow URL category.

Re: URL allow list for some of the subdomains

alextsa — Tue, 22 Feb 2022 16:04:29 GMT

@batd2 Thanks, and I have tried to create two custom category - one is *.sharepoint.com and one contain companyA.sharepoint.com and companyA-myfiles.sharepoint.com, then added them to a URL filtering profile with block action for *.sharepoint.com and allow for companyA.sharepoint.com. But the result is all subdomain belongs to sharepoint.com are block even companyA one.

Best regards

Re: URL allow list for some of the subdomains

Adrian_Jensen — Tue, 22 Feb 2022 16:26:59 GMT

Which PANOS are you running? As said above, generic block takes precedence over specific allow. See https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC .

The advise was to put your generic block in a block URL category, then in Objects -> Security Profiles -> URL Filtering add an allow in the Override tab for the specific URL. I recently upgraded from 8.1.x to a 9.1.x release and that entire tab seems to have disappeared... So I'm not quite sure how you would allow a more specific now...

Re: URL allow list for some of the subdomains

alextsa — Tue, 22 Feb 2022 16:38:31 GMT

I am using 10.0

Re: URL allow list for some of the subdomains

aleksandar.astardzhiev — Tue, 22 Feb 2022 17:10:19 GMT

Hi @alextsa ,

Have you look at "HTTP Header Insertion" feature - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/http-header-insertion it might help you to achive that you want. However it requires SSL decryption in order for the firewall to inspect HTTP headers

More simple solution would be to use custom URL categories

- Create URL custom category listing all sharepoints you want to allow

- Use this URL category as matching criteria for allow rule (service/url tab in the gui)

- Set URL profile profile for that rule that does not has any URL custom category (action set to none)

- Create URL custom category listing any other sharepoint that you want to block (including wildcard)

- Create URL filtering profile and set action to block for the above custom category

- Use this URL filtering profile in any other rule that is allowing generic internet access - that should be below the specific rule you create for allowing access to specific sharepoint

I would recommend to define the allow rule to be more specific by configuring destination addresses (you can get from internet ip range that MS is using for sharepoint)

Re: URL allow list for some of the subdomains

alextsa — Tue, 22 Feb 2022 17:30:38 GMT

Thanks Astardzhiev

Tried HTTP Header Insertion and O365 Consumer and Enterprise Access App-ID, it can help when the O365/sharepoint/onedrive that need to go thru login process. But it cannot control when the user get a sharepoint/onedrive link that don't need login, so we need to control in the URL side to distinguish it is company's tenant or not.

Re: URL allow list for some of the subdomains

Adrian_Jensen — Tue, 22 Feb 2022 23:39:51 GMT

So this is extremely frustrating as it looks like PA has completely removed URL filtering overrides. In particular for me as I had multiple specific overrides which are now gone... I found a PA KB article on it here, but the resolution is completely wrong, as you have found out.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UtaCAE

It seems like the only way to do it now would be create a Custom Object -> URL Category for the specific allow rule, create a Security policy allowing internet access and add that URL Category as a parameter in the Service/URL Category tab. Then create another Internet access rule with your general URL filtering setup that has the overall block. That is just a completely broken way to do it... I would open a support ticket and complain.