https://live.paloaltonetworks.com/t5/general-topics/app-vs-url/m-p/36419#M26774 <HTML><HEAD></HEAD><BODY><P>Despite the fact that I've blocked *.logmein.com and the logmein application, I'm still seeing traffic permitted to logmein.com. On inspecting the traffic log details, I can see that the traffic is being identified in 2 ways:</P><P></P><P><BR />06/21 13:07:59&nbsp; THREAT&nbsp; url&nbsp; ssl&nbsp; block-url&nbsp; URL Default&nbsp; Severity: informational Category: Blocked sites URL: *.app03-10.logmein.com/</P><P>06/21 13:09:51&nbsp; TRAFFIC&nbsp; end&nbsp; ssl&nbsp; allow&nbsp; URL Default&nbsp; Bytes: 8630 Packets: 18</P><P></P><P>Is this because I've got SSL permitted and APP beats URL? I'd expect traffic to be denied if any part of it was being blocked, but this does not appear to be the case.</P><P></P><P>I'm thinking that SSL Decryption is the only option to stop this traffic as the logmein application is encrypted, or an explicit deny for SSL to loginme.com.</P><P></P><P>Is this correct?</P></BODY></HTML> Mon, 21 Jun 2010 12:56:47 GMT robert.b 2010-06-21T12:56:47Z https://live.paloaltonetworks.com/t5/general-topics/app-vs-url/m-p/36419#M26774 <HTML><HEAD></HEAD><BODY><P>Despite the fact that I've blocked *.logmein.com and the logmein application, I'm still seeing traffic permitted to logmein.com. On inspecting the traffic log details, I can see that the traffic is being identified in 2 ways:</P><P></P><P><BR />06/21 13:07:59&nbsp; THREAT&nbsp; url&nbsp; ssl&nbsp; block-url&nbsp; URL Default&nbsp; Severity: informational Category: Blocked sites URL: *.app03-10.logmein.com/</P><P>06/21 13:09:51&nbsp; TRAFFIC&nbsp; end&nbsp; ssl&nbsp; allow&nbsp; URL Default&nbsp; Bytes: 8630 Packets: 18</P><P></P><P>Is this because I've got SSL permitted and APP beats URL? I'd expect traffic to be denied if any part of it was being blocked, but this does not appear to be the case.</P><P></P><P>I'm thinking that SSL Decryption is the only option to stop this traffic as the logmein application is encrypted, or an explicit deny for SSL to loginme.com.</P><P></P><P>Is this correct?</P></BODY></HTML> Mon, 21 Jun 2010 12:56:47 GMT https://live.paloaltonetworks.com/t5/general-topics/app-vs-url/m-p/36419#M26774 robert.b 2010-06-21T12:56:47Z https://live.paloaltonetworks.com/t5/general-topics/app-vs-url/m-p/36420#M26775 <HTML><HEAD></HEAD><BODY><P>Hi Robert,</P><P></P><P>The rules are applied in a top down fashion - so if traffic matches an allow rule before getting to the deny rule, there will be no further matches.&nbsp; Except of course, if the application or application function changes.</P><P>SSL Decryption does happen before the Security Policies are applied - so if the application is inside HTTPs, it will get matched correctly (assuming all other parameters are set correctly for the SSL decrypt to happen).</P><P>Just as a note, in case you are using the service column as well - when decrypting, you'll still see port 443 in the logs since this does not change.</P><P></P><P>Hope this helps?</P><P>Thanks</P><P>James</P></BODY></HTML> Mon, 21 Jun 2010 17:32:27 GMT https://live.paloaltonetworks.com/t5/general-topics/app-vs-url/m-p/36420#M26775 James 2010-06-21T17:32:27Z