topic Re: Security Policy Rule matches on ALL URL categories in General Topics

Security Policy Rule matches on ALL URL categories

hoerzers — Fri, 16 Aug 2013 12:52:06 GMT

Hi,

I'm sure this was working at some stage but now it's not working the way I need it: I have a rule from inside to outside, any user, web-browsing and a URL category of gambling, allow the traffic and use log forwarding with no profiles selected.

The problem is that the URL is matched on ANY traffic. Doing a 'test url' from the command line lists them as " computer-and-internet-info" and the url-cache is looking good. The box is licensed for PAN-DB as well. Any idea what I'm doing wrong?

Thanks

Re: Security Policy Rule matches on ALL URL categories

kprakash — Fri, 16 Aug 2013 13:17:08 GMT

Can you create a URL filtering profile, setting the action to "alert" for "gambling", and applying the URL filtering profile to the rule, instead of matching the URL category of gambling on the rule itself.

Re: Security Policy Rule matches on ALL URL categories

kprakash — Fri, 16 Aug 2013 13:30:59 GMT

Here a couple of useful links that explain why creating the URL filtering profile is preferred over adding the category on the rule itself

https://live.paloaltonetworks.com/message/28646#28646

https://live.paloaltonetworks.com/message/23810#23810

https://live.paloaltonetworks.com/docs/DOC-3108

BR,

Karthik RP

Re: Security Policy Rule matches on ALL URL categories

mbutt — Fri, 16 Aug 2013 19:12:38 GMT

If i understand it correctly

1. you have PAN-DB URL filtering license

2. In the policy you have gambling as URL category

Question:

The URL that you are going to is it suppose to be categorized as gambling or it is indeed "computer-and-internet-info" . If it is gambling then you can request a URL categorization change request.
Since the URL is not being identified correctly. You can go to the following site to do that

(http://urlfiltering.paloaltonetworks.com/testASite.aspx) or i believe you can also do it directly from the device as well.

If that is not the case and the site you are going to is "computer-and-internet-info" and that is what the test url command is showing but in the traffic policy we are not hitting it correctly.

Then you can try to clear the cache by using the following commands and then test if it is hitting the correct policy

“clear url-cache url <URL>”

“delete url-database url <URL>”

Next time the device will ask for the category of this URL, the request will be forwarded to the cloud.

Let us know if this helps you resolve the issue.

Thank you

Numan

Re: Security Policy Rule matches on ALL URL categories

hoerzers — Fri, 16 Aug 2013 23:45:51 GMT

Thanks for the replies.

I understand that I can use the profiles but what I'm really trying to find out why this doesn't work with the URL category straight in the rule itself. The URL is www.microsoft.com and correctly identified as "

"computer-and-internet-info". The same thing happens for www.intel.com. I've changed the category to 'adult' and still the same. I've cleared the entire URL cache and deleted the URL database and the rule is still incorrectly triggered. Below is the rule and a log entry for intel.com.

BTW, I've tried this on another PA-200, also 5.0.5 with a similar result.

Thanks

Re: Security Policy Rule matches on ALL URL categories

bpappas — Sat, 17 Aug 2013 04:56:36 GMT

Have you had a look at this discussion?

https://live.paloaltonetworks.com/message/16814#16814

Re: Security Policy Rule matches on ALL URL categories

hoerzers — Sat, 17 Aug 2013 06:00:50 GMT

I have now but unfortunately it does not solve my problem. I really need to know why something like Intel.com triggers the test rule I created. I understand the logging part but I don't understand why the rule does not work as expected.

Re: Security Policy Rule matches on ALL URL categories

Retired Member — Sat, 17 Aug 2013 12:35:06 GMT

This is expected behaviour.I know it seems like an issue but using url category is not a good solution.You see incomplete in the log you attached.Here is the explanation

"Incomplete means we have not had enough packets to identify the application being used in the session. When this happens we will use the first policy match that will match the source and destination zones and IP's and then the service (port numbers) this has to be done for enough of the packets to go through and then let us apply the rules per application, this is also true for the URL filtering, until we know the application we can't apply these rules to the traffic."

Re: Security Policy Rule matches on ALL URL categories

hoerzers — Sat, 17 Aug 2013 13:28:51 GMT

Understood. Thanks for the explanation!

Re: Security Policy Rule matches on ALL URL categories

harshanatarajan — Sat, 17 Aug 2013 14:31:59 GMT

Try clearing the sessions for that source ip. I have got this working.

>clear session all filter source <source ip>

Re: Security Policy Rule matches on ALL URL categories

Retired Member — Sat, 17 Aug 2013 16:11:51 GMT

not to see incomplete or etc.. applications hitting that rule only way is to change that rule's logging to session start( not end.) otherwise alhough you clear all sessions this behaviour will not change, you will see unexpected traffic hitting that url category - web browsing rule.

Regards.