https://live.paloaltonetworks.com/t5/general-topics/wildcards-in-url-filtering-for-ssl-decrypt-bypass/m-p/29767#M21752 <HTML><HEAD></HEAD><BODY><P>OK, so this is driving me mad and I'm obviously missing something.</P><P></P><P>I've created a custom URL category in which I wish to drop URLs that will bypass SSL decryption.&nbsp; In this I want to use wildcards, so that all sites for a particular company can be bypassed.</P><P></P><P><SPAN>For the sake of example, let's say the site I want to get to unencrypted is </SPAN><A class="jive-link-external-small" href="https://www.microsoft.com">https://www.microsoft.com</A></P><P></P><P>In the URL category I've added *.microsoft.com using the wildcard EXACTLY as documented in the URL_Categorzation_PANOS-RevC.pdf document posted on this site.</P><P></P><P>The custom URL category is then referenced in a rule in my Decryption policy, with action no-decrypt and type ssl-forward-proxy set appropriately</P><P></P><P>Everything has then been committed back to the PANOS firewall.</P><P></P><P>Result?&nbsp; URLs matching the wildcard are still being decrypted.&nbsp; The firewall is completely ignoring the bypass rule.</P><P></P><P>Anyone got any idea why?&nbsp; The CLI "Test" command doesn't even recognise my custom URL categories, so that's no help.</P><P></P><P>Firewall is running 5.0.5</P><P></P><P>Thanks in advance</P></BODY></HTML> Fri, 30 Aug 2013 11:03:30 GMT David_Hulse 2013-08-30T11:03:30Z https://live.paloaltonetworks.com/t5/general-topics/wildcards-in-url-filtering-for-ssl-decrypt-bypass/m-p/29767#M21752 <HTML><HEAD></HEAD><BODY><P>OK, so this is driving me mad and I'm obviously missing something.</P><P></P><P>I've created a custom URL category in which I wish to drop URLs that will bypass SSL decryption.&nbsp; In this I want to use wildcards, so that all sites for a particular company can be bypassed.</P><P></P><P><SPAN>For the sake of example, let's say the site I want to get to unencrypted is </SPAN><A class="jive-link-external-small" href="https://www.microsoft.com">https://www.microsoft.com</A></P><P></P><P>In the URL category I've added *.microsoft.com using the wildcard EXACTLY as documented in the URL_Categorzation_PANOS-RevC.pdf document posted on this site.</P><P></P><P>The custom URL category is then referenced in a rule in my Decryption policy, with action no-decrypt and type ssl-forward-proxy set appropriately</P><P></P><P>Everything has then been committed back to the PANOS firewall.</P><P></P><P>Result?&nbsp; URLs matching the wildcard are still being decrypted.&nbsp; The firewall is completely ignoring the bypass rule.</P><P></P><P>Anyone got any idea why?&nbsp; The CLI "Test" command doesn't even recognise my custom URL categories, so that's no help.</P><P></P><P>Firewall is running 5.0.5</P><P></P><P>Thanks in advance</P></BODY></HTML> Fri, 30 Aug 2013 11:03:30 GMT https://live.paloaltonetworks.com/t5/general-topics/wildcards-in-url-filtering-for-ssl-decrypt-bypass/m-p/29767#M21752 David_Hulse 2013-08-30T11:03:30Z https://live.paloaltonetworks.com/t5/general-topics/wildcards-in-url-filtering-for-ssl-decrypt-bypass/m-p/29768#M21753 <HTML><HEAD></HEAD><BODY><P>Hello Sir,</P><P></P><P>Try to add </P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">*.microsoft.com</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">*<SPAN class="GINGER_SOFATWARE_correct">.</SPAN><SPAN class="GINGER_SOFATWARE_correct">microsoft</SPAN></SPAN><SPAN class="GINGER_SOFATWARE_correct">.</SPAN>*</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">*<SPAN class="GINGER_SOFATWARE_correct">.</SPAN><SPAN class="GINGER_SOFATWARE_correct">microsoft</SPAN><SPAN class="GINGER_SOFATWARE_correct">.</SPAN></SPAN>*/</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">*<SPAN class="GINGER_SOFATWARE_correct">.</SPAN><SPAN class="GINGER_SOFATWARE_correct">microsoft</SPAN><SPAN class="GINGER_SOFATWARE_correct">.</SPAN></SPAN>*/*</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P>Please go through below mentioned discussion and documents, hope it will help you.</P><P></P><P><A href="https://live.paloaltonetworks.com/message/27930">.</A></P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-2008">Controlling SSL Decryption</A></P><P></P><P>Thanks</P></BODY></HTML> Fri, 30 Aug 2013 14:39:51 GMT https://live.paloaltonetworks.com/t5/general-topics/wildcards-in-url-filtering-for-ssl-decrypt-bypass/m-p/29768#M21753 HULK 2013-08-30T14:39:51Z