topic Re: URL Filter - Block one and log the rest in General Topics

URL Filter - Block one and log the rest

cosx — Fri, 30 Nov 2012 22:49:07 GMT

On a PAN with no BrightCloud license, you can still use the URL filtering "Block" and "Allow" lists. Right now I use that feature to have a "log-all" URL filtering policy where I have "*" in the block list and an action of "alert." But now I have one (or it could be a short list) of URLs that I want to really block, i.e. an action of "block." However, if I change my block list to block that one URL with a "block" action, I lose all of my logging of other URLs.

Is there a way to block my URL while still logging everything else that I'm not seeing? Kind of seems like something that should be easy (block some URLs while still retaining the ability to alert others), but I don't see how I can do it reliably.

Re: URL Filter - Block one and log the rest

nayubi — Fri, 30 Nov 2012 23:58:12 GMT

You can try to create an object using an fqdn and try to apply in in a policy, but it looks like you may need to invest in url filtering.

Re: URL Filter - Block one and log the rest

dyang — Sat, 01 Dec 2012 01:14:54 GMT

In the absence of a URL filtering license, you should also be able to create a custom category. So if you really need to, create a custom category with the URL you'd like to block, and then continue using the block list to alert on the rest.

Re: URL Filter - Block one and log the rest

cosx — Mon, 03 Dec 2012 18:18:57 GMT

Thanks. Wasn't sure if custom URLs worked.

So what I did was create a custom URL category for the sites I want to block:

# show profiles custom-url-category

custom-url-category {

wpad {

list [ wpad.am.example.com wpad.example.com];

}

Then I create a policy rule that uses that URL category,

# show rulebase security rules "Block WPAD"

"Block WPAD" {

source any;

destination any;

service application-default;

application web-browsing;

action allow;

source-user any;

option {

disable-server-response-inspection no;

}

negate-source no;

negate-destination no;

disabled no;

log-end yes;

from dc;

to internal;

log-setting Panorama-ALL;

hip-profiles any;

log-start no;

category wpad;

}

Don't be mislead by the name. The action us currently "allow" while I make sure the rule does not catch traffic inadvertently. And I am a little puzzled by the results. If I do hit a URL that matches the URL category, I get the expected entry in my logs. However, I see a lot of logs,

Time

App

From

Src Port Source

Rule

Action

Dst Port Destination

Src User

Dst User

===============================================================================

2012/12/03 10:13:41 incomplete	dc	63803	172.31.152.165
Block WPAD	allow	internal	80	192.168.208.131

2012/12/03 10:13:37 incomplete	dc	50620	10.10.10.77
Block WPAD	allow	internal	80	192.168.228.45

2012/12/03 10:13:36 incomplete	dc	63802	172.31.152.165
Block WPAD	allow	internal	80	192.168.208.131

Even though they are "incomplete," I believe the connections are in fact working. Not sure what these logs mean. I believe they are successful HTTP connections, but the URL does not match. I would expect not to see any log entry at all if that were the case. Is this expected behavior?