https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-app-and-url-category-mismatch/m-p/516335#M107223 <P>Thanks,&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>.</P> <P>&nbsp;</P> <P>I created the two deny policies (one with facebook-base application and other one with social-networking). Still traffic are allowing with internet any policy by matching URL category as any.</P> <P>&nbsp;</P> <P>I would like to know why still traffic bypassing these two rules? and allowing in internet policy.&nbsp;<BR /><BR />If decryption is the only solution, I am thinking about basic firewall functioning..!</P> Thu, 29 Sep 2022 08:38:34 GMT lakshmipathimurugan 2022-09-29T08:38:34Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-app-and-url-category-mismatch/m-p/516040#M107167 <P>Hello Everyone,</P> <P>&nbsp;</P> <P>In PA Firewall logs I am noticing the strange behaviour of the App and URL Category. I have blocked the social networking sites in the policy. But Facebook-based applications are categorized under any; sometimes it is categorized as social networking and blocking traffic.</P> <P>&nbsp;</P> <P>Can someone face this issue before? What is the solution to fix this categorization issue?&nbsp;</P> <P>&nbsp;</P><BR /><BR />Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended. Tue, 27 Sep 2022 08:25:11 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-app-and-url-category-mismatch/m-p/516040#M107167 lakshmipathimurugan 2022-09-27T08:25:11Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-app-and-url-category-mismatch/m-p/516065#M107170 <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/210445">@lakshmipathimurugan</a></P> <P>&nbsp;</P> <P>thank you for the post.</P> <P>&nbsp;</P> <P>The behavior you described is expected. The below KBs describe what URL category "any" means:</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UP1CAM&amp;lang=en_US%E2%80%A9&amp;refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UP1CAM&amp;lang=en_US%E2%80%A9&amp;refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail</A></P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm08CAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm08CAC</A></P> <P>&nbsp;</P> <P>If your ultimate goal is to block Facebook, then I would create 2 security policies. One policy to block application: facebook-base and another to block URL category: social-networking. In this way either of the policy will be hit to deny Facebook related traffic regardless it is detected as application or URL category.</P> <P>&nbsp;</P> <P>With your current policy: "Block Streaming Media-App Based" the issue I am seeing, to block this traffic, Firewall has to decode application as "facebook-base" and have enough information to categorize URL category as "social-networking". If Firewall can't categorize URL category, this policy will not be hit.</P> <P>&nbsp;</P> <P>If your goal is to go more granular and block only some of the Facebook application, you will have to enable decryption.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Tue, 27 Sep 2022 13:09:25 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-app-and-url-category-mismatch/m-p/516065#M107170 PavelK 2022-09-27T13:09:25Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-app-and-url-category-mismatch/m-p/516335#M107223 <P>Thanks,&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>.</P> <P>&nbsp;</P> <P>I created the two deny policies (one with facebook-base application and other one with social-networking). Still traffic are allowing with internet any policy by matching URL category as any.</P> <P>&nbsp;</P> <P>I would like to know why still traffic bypassing these two rules? and allowing in internet policy.&nbsp;<BR /><BR />If decryption is the only solution, I am thinking about basic firewall functioning..!</P> Thu, 29 Sep 2022 08:38:34 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-app-and-url-category-mismatch/m-p/516335#M107223 lakshmipathimurugan 2022-09-29T08:38:34Z https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-app-and-url-category-mismatch/m-p/516562#M107277 <P>Thank you for reply&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/210445">@lakshmipathimurugan</a></P> <P>&nbsp;</P> <P>could you confirm what actual user experience is? Where you able to confirm that Facebook traffic is not blocked? Some of the traffic will have a URL category as any until Firewall has enough traffic to go through to properly categorize it, this should however eventually result traffic being blocked by matching right policy. Before that happens some of the logs will have category any.&nbsp;</P> <P>&nbsp;</P> <P>To block Facebook traffic, decryption is not required, the Facebook traffic will be categorized based on initial SSL handshake by looking into SNI of certificate.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Sun, 02 Oct 2022 07:16:56 GMT https://live.paloaltonetworks.com/t5/general-topics/paloalto-firewall-app-and-url-category-mismatch/m-p/516562#M107277 PavelK 2022-10-02T07:16:56Z