topic Re: Subnet entry in Custom URL Category in General Topics

Subnet entry in Custom URL Category

sconley — Wed, 29 Aug 2012 17:32:26 GMT

If I were to enter multiple subnets (ex: 218.65.30.0/24) as entries in a Custom URL Category, will those entries been seen as the entire subnet or will they be seen as a URL (http://218.65.30.0/24)? I ask this because I'm looking at creating an outbound block/deny policy based off custom URL categories and I want to make sure I am actually blocking this entire subnet. I am also looking at the possibility of creating this list as a Region and then blocking that region. It seems silly to create an address object for each one and then add them all to an address group, which I know can be done automatically through scripting to save time, but I was wondering if the above scenario would do what I need. Thanks

Re: Subnet entry in Custom URL Category

mikand — Wed, 29 Aug 2012 21:17:08 GMT

To block the subnet the correct way is to block at dstip and not dsturl.

However even if a real browser shouldnt be able to connect to a different ip than the one stated in the url request (I mean if you type http://5.6.7.8/ in your browser the browser will try to connect to dstip 5.6.7.8) there could be various malwares and possible other cases of where http is being used as a protocol but where the dstip is for example 1.2.3.4 but the requested url is http://5.6.7.8/ for a particular request (or "Host: 5.6.7.8" for that matter).

A question related to this, does PA have a IPS-signature against if a client performs a request towards dstip 1.2.3.4 but the url requested is http://5.6.7.8/ (or rather "Host: 5.6.7.8") and is this signature valid for both IPv4 and IPv6?