https://live.paloaltonetworks.com/t5/general-topics/block-http-https-access-via-ip/m-p/520783#M107946 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/256619">@Robynson</a>,</P> <P>Couple ways off hand:</P> <P>&nbsp;</P> <P>* Custom URL Category assigned to the security policy allowing external access - This is by far the most effective way to accomplish what you're attempting to do since you're just trying to do it for your own website(s).&nbsp;</P> <P>&nbsp;</P> <P>* Blocking the unknown category - Same thing really, but you would assign a URL filtering profile on the external access entry that blocks medium-risk and unknown categories. You'd have to verify what effect this would have with your own URL logs, but direct IP access is always going to be labelled as medium-risk,unknown by the firewall. Blocking access to those would block direct IP access, but could cause issues depending on how your website(s) are actually categorized.</P> <P><BR />The one thing to be mindful of here is that you'd want to ensure that you actually look through your logs and create a&nbsp;<EM>separate</EM>&nbsp;URL Filtering profile to assign if you go with that second option. GlobalProtect's hip-check is sent directly to the IP address instead of the FQDN, so you don't want to just block medium-risk and unknown categories on the profile you use for all of your external access rules.&nbsp;</P> Wed, 09 Nov 2022 13:38:02 GMT BPry 2022-11-09T13:38:02Z https://live.paloaltonetworks.com/t5/general-topics/block-http-https-access-via-ip/m-p/520772#M107942 <P>Hello.</P> <P>&nbsp;</P> <P>I would like to block access to my site (http/https) when it is made via IP.</P> <P>I want to only allow access made by name.</P> <P>&nbsp;</P> <P>Ex.: <A href="http://www.mysite.com" target="_blank" rel="noopener">www.mysite.com</A>&nbsp;&lt;=&gt; 1.2.3.4</P> <P>&nbsp;</P> <P><A href="https://1.2.3.4" target="_blank" rel="noopener">https://1.2.3.4</A>&nbsp;=&gt; deny</P> <P><A href="https://www.mysite.com" target="_blank" rel="noopener">https://www.mysite.com</A>&nbsp;=&gt; allow</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PA-access.by.name.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45228i29F71D6555D8AF98/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="PA-access.by.name.jpg" alt="PA-access.by.name.jpg" /></span></P> <P>&nbsp;</P> <P>Is that possible with Palo Alto?</P> <P>Thanks.</P> Wed, 09 Nov 2022 12:24:01 GMT https://live.paloaltonetworks.com/t5/general-topics/block-http-https-access-via-ip/m-p/520772#M107942 Robynson 2022-11-09T12:24:01Z https://live.paloaltonetworks.com/t5/general-topics/block-http-https-access-via-ip/m-p/520783#M107946 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/256619">@Robynson</a>,</P> <P>Couple ways off hand:</P> <P>&nbsp;</P> <P>* Custom URL Category assigned to the security policy allowing external access - This is by far the most effective way to accomplish what you're attempting to do since you're just trying to do it for your own website(s).&nbsp;</P> <P>&nbsp;</P> <P>* Blocking the unknown category - Same thing really, but you would assign a URL filtering profile on the external access entry that blocks medium-risk and unknown categories. You'd have to verify what effect this would have with your own URL logs, but direct IP access is always going to be labelled as medium-risk,unknown by the firewall. Blocking access to those would block direct IP access, but could cause issues depending on how your website(s) are actually categorized.</P> <P><BR />The one thing to be mindful of here is that you'd want to ensure that you actually look through your logs and create a&nbsp;<EM>separate</EM>&nbsp;URL Filtering profile to assign if you go with that second option. GlobalProtect's hip-check is sent directly to the IP address instead of the FQDN, so you don't want to just block medium-risk and unknown categories on the profile you use for all of your external access rules.&nbsp;</P> Wed, 09 Nov 2022 13:38:02 GMT https://live.paloaltonetworks.com/t5/general-topics/block-http-https-access-via-ip/m-p/520783#M107946 BPry 2022-11-09T13:38:02Z