https://live.paloaltonetworks.com/t5/general-topics/upgraded-to-3-1-url-wildcards-not-working/m-p/40649#M29853 <HTML><HEAD></HEAD><BODY><P>Its possible that this is a bug because it shouldn't be truncating.&nbsp; Please open a case with your support on this one.</P></BODY></HTML> Tue, 04 May 2010 18:37:36 GMT nrice 2010-05-04T18:37:36Z https://live.paloaltonetworks.com/t5/general-topics/upgraded-to-3-1-url-wildcards-not-working/m-p/40646#M29850 <HTML><HEAD></HEAD><BODY><P>Just upgraded to 3.1.0 from 3.0.6.</P><P></P><P>I had the following URL filtering profile that I used on an inbound rule with SSL decryption so that people could only connect to valid Exchange/Outlook Web Access URLs:</P><P></P><P>webmail.ourdomain.co.uk/favicon.ico</P><P>webmail.ourdomain.co.uk/Exchange</P><P>webmail.ourdomain.co.uk/Exchweb</P><P><STRONG style="color: #ff0000; ">webmail.ourdomain.co.uk/Microsoft-Server*</STRONG></P><P>webmail.ourdomain.co.uk/OMA</P><P>webmail.ourdomain.co.uk/public</P><P>webmail.ourdomain.co.uk/rpc</P><P></P><P>When I upgraded that rule stopped working, which I found is because the wildcard syntax has changed in 3.1.</P><P></P><P>The issue is that it seems the PAN truncates the entire URL that is fed to the Exchange server so I can't filter on the full length virtual directory name which is /Microsoft-Server-Activesync, if I add that to my URL policy I see blocks in the URL logs for:</P><P></P><P>URL: webmail.ourdomain.co.uk/microsoft-server-activesync?user=joe&amp;devic</P><P>URL: webmail.ourdomain.co.uk/microsoft-server-activedeviceid=imei35766301</P><DIV> </DIV><DIV>How do I fix this please?</DIV></BODY></HTML> Sun, 02 May 2010 12:21:38 GMT https://live.paloaltonetworks.com/t5/general-topics/upgraded-to-3-1-url-wildcards-not-working/m-p/40646#M29850 networkadmin 2010-05-02T12:21:38Z https://live.paloaltonetworks.com/t5/general-topics/upgraded-to-3-1-url-wildcards-not-working/m-p/40647#M29851 <HTML><HEAD></HEAD><BODY><P>In the change in 3.1.x&nbsp; wildcards need to be preceeded or followed by the following separators:</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <STRONG>.</STRONG></P><P>&nbsp;&nbsp;&nbsp;&nbsp; <STRONG>/</STRONG></P><P><STRONG>&nbsp;&nbsp;&nbsp;&nbsp; ?</STRONG></P><P><STRONG>&nbsp;&nbsp;&nbsp;&nbsp; &amp;</STRONG></P><P><STRONG>&nbsp;&nbsp;&nbsp;&nbsp; =</STRONG></P><P><STRONG>&nbsp;&nbsp;&nbsp;&nbsp; ;</STRONG></P><P><STRONG>&nbsp;&nbsp;&nbsp;&nbsp; +</STRONG></P><P></P><P>Every substring that is separated by the characters listed above is considered a token.&nbsp; A token can be any number of ASCII characters that does not contain any separator character or <STRONG>*.</STRONG>&nbsp; For example, the following patterns are valid:</P><P></P><P><STRONG>*.yahoo.com</STRONG>&nbsp;&nbsp; (tokens are <STRONG>*,</STRONG>&nbsp; yahoo, and com)</P><P><A href="http://www.*.com"><STRONG style="color: #000000; ">www.*.com</STRONG></A>&nbsp;&nbsp; (tokens are www, *, and com)</P><P><A href="http://www.yahoo.com/search"><SPAN style="color: #000000;"><STRONG>www.yahoo.com/search</STRONG></SPAN></A><SPAN style="color: #000000;"><STRONG>=*</STRONG>&nbsp;&nbsp;&nbsp; (tokens are www, yahoo, com, search, * )</SPAN></P><P></P><P><SPAN style="color: #000000;">*webmail.ourdomain.co.uk/Microsoft-Server** is invalid because "*" is not the only character in the token&nbsp; ie "*webail" and "Server**".&nbsp; Without valid separators you filter won't work.&nbsp; </SPAN></P></BODY></HTML> Mon, 03 May 2010 23:45:05 GMT https://live.paloaltonetworks.com/t5/general-topics/upgraded-to-3-1-url-wildcards-not-working/m-p/40647#M29851 nrice 2010-05-03T23:45:05Z https://live.paloaltonetworks.com/t5/general-topics/upgraded-to-3-1-url-wildcards-not-working/m-p/40648#M29852 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply.</P><P></P><P>I had read that, the problem is that the PAN won't recognize the true URL it seems to truncate it.</P><P></P><P>The actual virtual Exchange directory would be "webmail.ourdomain.com/Microsoft-Server-Activesync" but if I enter that I see blocks because as per the log entry that I posted, the PAN seems to truncate the entire URL.</P><P></P><P>I could simply list webmail.ourdomain.com but the whole idea here is that I want to only allow access to the legitimate Outlook/Exchange Virtual Directories in IIS.</P></BODY></HTML> Tue, 04 May 2010 07:35:14 GMT https://live.paloaltonetworks.com/t5/general-topics/upgraded-to-3-1-url-wildcards-not-working/m-p/40648#M29852 networkadmin 2010-05-04T07:35:14Z https://live.paloaltonetworks.com/t5/general-topics/upgraded-to-3-1-url-wildcards-not-working/m-p/40649#M29853 <HTML><HEAD></HEAD><BODY><P>Its possible that this is a bug because it shouldn't be truncating.&nbsp; Please open a case with your support on this one.</P></BODY></HTML> Tue, 04 May 2010 18:37:36 GMT https://live.paloaltonetworks.com/t5/general-topics/upgraded-to-3-1-url-wildcards-not-working/m-p/40649#M29853 nrice 2010-05-04T18:37:36Z https://live.paloaltonetworks.com/t5/general-topics/upgraded-to-3-1-url-wildcards-not-working/m-p/40650#M29854 <HTML><HEAD></HEAD><BODY><P>Have done (Vadition).&nbsp; Presumably there are other customers using a PAN to reverse proxy Exchange/OWA?&nbsp; I can't imagine I'm trying to do anything unusual so if anyone's reading who is doing this, be interested to know your config.</P></BODY></HTML> Wed, 05 May 2010 19:22:26 GMT https://live.paloaltonetworks.com/t5/general-topics/upgraded-to-3-1-url-wildcards-not-working/m-p/40650#M29854 networkadmin 2010-05-05T19:22:26Z