topic Re: URL Filtering - Changes in 3.1.7? in General Topics

URL Filtering - Changes in 3.1.7?

networkadmin — Thu, 27 Jan 2011 20:12:00 GMT

I have a PAN that has been running 3.1.6 quite happily.

We have an internal Exchange/OWA server so we have rule in place to allow inbound access to it, and the rule uses a URL filtering profile that allows only the IIS virtual directories needed to access the OWA services.

Yesterday I upgraded to 3.1.7 and noticed this morning that immediately after the upgrade I was seeing URL blocking happening on inbound OWA URLs that had previously worked.

I have a case open with Vadition, but wondered if anyone else had encountered this?

Re: URL Filtering - Changes in 3.1.7?

rapoint_person — Wed, 09 Feb 2011 20:00:51 GMT

Please explain what you are doing in greater detail.

I take it you are not using a custom application for this paricular policy?

I'd suggest you create a custom application with lets say:

http-req-host-header = hostname\.domain\.com

http-req-uri-path = /virtualdir

Then add add the application to your security rule and make sure the application is correctly categorized by adding an application override policy. Wouldn't that work?

Re: URL Filtering - Changes in 3.1.7?

networkadmin — Wed, 09 Feb 2011 20:06:57 GMT

In the same way you can have an outbound allow/block whitelist/blacklist on a URL profile, you can do the same on inbound rules.

So we have an Outlook Web Access server with an inbound rule, I use URL filtering to ensure people can only get to https://server.fqdn/exchange and not, say, https://server.fqdn/system32/someexploit.etc

We're obviously doing reverse SSL decryption on the inbound traffic.

Everything worked perfectly until we upgraded from 3.1.6 to 3.1.7 at which point all of a sudden URLs were being blocked that weren't previously.

Adding server.fqdn to the whitelist (no sub-directories) has worked around it but we're now coming up to 2 weeks since I opened the case - it's fair to say I'm not comfortable without the URL filtering protection on the inbound traffic.

Re: URL Filtering - Changes in 3.1.7?

rapoint_person — Wed, 09 Feb 2011 20:19:30 GMT

Ok I understand what you are saying. Thats a reason to open a case right there.

Don't remember reading about any changes in the release notes for 3.1.7 regarding the URL-filter.

I still think you should try defining this as an application and solving it that way. Any drawbacks/reasons you don't want to use a custom app?

I mean, if you have the complete fqdn and uri in the application you accomplish the same thing.

Re: URL Filtering - Changes in 3.1.7?

networkadmin — Wed, 09 Feb 2011 20:23:18 GMT

One reason would be I don't know how to

That reason aside, the URL list is quite long as you need to add each virtual directory - presumably even with an app you still need to do this so would I gain that much?

Re: URL Filtering - Changes in 3.1.7?

rapoint_person — Wed, 09 Feb 2011 20:28:59 GMT

It's easy, You will be a kung-fu champ in custom apps in no time

Take a look at this example:

https://live.paloaltonetworks.com/docs/DOC-1492

As you see you can put in "OR" conditions, (in your case each virtual dir on that particular server)

Good luck!

/Oskar