https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14591#M10719 <HTML><HEAD></HEAD><BODY><P>The only way URL Filtering logs will be created is if we have a URL Filtering Profile attached to the rule passing the traffic and the action is set to anything but Allow. (Alert, Block)</P></BODY></HTML> Mon, 27 Jul 2015 02:57:52 GMT mmmccorkle 2015-07-27T02:57:52Z https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14585#M10713 <HTML><HEAD></HEAD><BODY><P>Hey all,</P><P></P><P>We have a security rulebase which is causing some bizarre issues.</P><P></P><P><STRONG>rule 1:</STRONG></P><UL><LI>trust to untrust</LI><LI>service: tcp-80</LI><LI>url category: online-storage</LI><LI>url filtering profile: alert-all</LI><LI>allow</LI></UL><P></P><P><STRONG>rule 2:</STRONG></P><UL><LI>trust to untrust</LI><LI>service: tcp-80</LI><LI>url category: /</LI><LI>url filtering profile: alert-all</LI><LI>allow</LI></UL><P></P><P>when we do some web traffic to <SPAN style="text-decoration: underline;">www.bing.com</SPAN> we get 2 different type of results</P><P></P><P><STRONG>A) we hit rule 2</STRONG></P><P>traffic logs show: allow</P><P>url filtering logs show: category = search-engines - action: alert</P><P></P><P><STRONG>B) we hit rule 1</STRONG></P><P>traffic logs show: allow</P><P>url filtering logs show: category = <EM>any</EM> (??) - action: block</P><P></P><P></P><P>what I think is happening in situation B is: Traffic is hitting rule 1, and because at this stage the PaloAlto does not know the url category it will allow traffic through this rule (zone and service are a hit). After some packets the url category is known as search-engines =&gt; this means the traffic is actually not allowed by rule 1 and thus traffic is dropped (even though there is a rule 2 which would have allowed this traffic!). The category = "any" in the url filtering logs is just some strange behaviour of the PaloAlto.</P><P></P><P>Now I know this rulebase does not make sence, but it's just a recap of what is happening. The actual rules involve different user-groups and allowed applications.</P><P></P><P>Question is:</P><P>Anybody else find this kind of behaviour.</P><P>Why is traffic sometimes hitting rule 1, and sometimes rule 2?</P></BODY></HTML> Thu, 23 Jul 2015 14:02:32 GMT https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14585#M10713 mr.linus 2015-07-23T14:02:32Z https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14586#M10714 <HTML><HEAD></HEAD><BODY><P>This may have already been mentioned, but I'd highly suggest you use the URL Filtering profile categories to filter categories instead of putting it into that portion of the rule itself.</P></BODY></HTML> Thu, 23 Jul 2015 21:37:21 GMT https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14586#M10714 mmmccorkle 2015-07-23T21:37:21Z https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14587#M10715 <HTML><HEAD></HEAD><BODY><P>using them in the rule is a way to get around paying for the service.</P></BODY></HTML> Sat, 25 Jul 2015 22:03:55 GMT https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14587#M10715 Brandon_Wertz 2015-07-25T22:03:55Z https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14588#M10716 <HTML><HEAD></HEAD><BODY><P>What's the intent of using a URL Category in security policy in conjunction with a URL Profile?</P></BODY></HTML> Sat, 25 Jul 2015 22:05:40 GMT https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14588#M10716 Brandon_Wertz 2015-07-25T22:05:40Z https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14589#M10717 <HTML><HEAD></HEAD><BODY><P>I believe that the engine is still active, we just have to create our own custom categories instead of using the pre-defined ones with the purchased license.</P><P></P><P>Thanks!</P></BODY></HTML> Sat, 25 Jul 2015 23:22:56 GMT https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14589#M10717 mmmccorkle 2015-07-25T23:22:56Z https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14590#M10718 <HTML><HEAD></HEAD><BODY><P>I can't keep it straight if using it in security policy either doesn't create a URL log or doesn't allow you to use a URL response page, but I know it's one of them as well.</P></BODY></HTML> Sun, 26 Jul 2015 02:11:44 GMT https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14590#M10718 Brandon_Wertz 2015-07-26T02:11:44Z https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14591#M10719 <HTML><HEAD></HEAD><BODY><P>The only way URL Filtering logs will be created is if we have a URL Filtering Profile attached to the rule passing the traffic and the action is set to anything but Allow. (Alert, Block)</P></BODY></HTML> Mon, 27 Jul 2015 02:57:52 GMT https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14591#M10719 mmmccorkle 2015-07-27T02:57:52Z https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14592#M10720 <HTML><HEAD></HEAD><BODY><P>Hey All,</P><P></P><P>I have been investigating this issue with PaloAlto tech support and we found the issue.</P><P>We've been able to track the trigger condition down to safe search enforcement setting on the URL profile. For some reason, the string "FORM=IE" from the URL will trigger this behavior. So for some reason this would make it so search traffic to BING sometimes hit rule 1, and sometimes hit rule 2. </P><P></P><P>But I do agree that using URL categories in the rulebase is just asking for trouble.</P></BODY></HTML> Mon, 03 Aug 2015 08:05:20 GMT https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14592#M10720 mr.linus 2015-08-03T08:05:20Z https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14593#M10721 <HTML><HEAD></HEAD><BODY><P>Dear</P><P>Please note that: using url categories in a security policy, instead of a security profile does NOT work if you do not have a license.</P><P>You still need an active license to be able to use url categories.</P><P>You do not need a license to use custom url categories, which you can then use in security policies as well as in security profiles.</P><P>The use in policy or profile has nothing to do with license.</P></BODY></HTML> Tue, 04 Aug 2015 08:25:56 GMT https://live.paloaltonetworks.com/t5/general-topics/using-url-categories-in-security-rule-base-blocks-allowed/m-p/14593#M10721 mr.linus 2015-08-04T08:25:56Z