topic Re: Rule too allow access to group of URLs? in General Topics

Rule too allow access to group of URLs?

networkadmin — Fri, 21 Oct 2016 14:18:02 GMT

PANOS 7.0.4 and I'm struggling to do something that feels basic 🙂

I need to allow anything on the LAN access to

*.sophos.com
*.sophosupd.com
*.sophosupd.net
*.sophosxl.net
ocsp2.globalsign.com
crl.globalsign.com

as per https://community.sophos.com/kb/en-us/121936

Right now we use captive portal but of course machines might try to update when nobody is logged in on them.

I can't add "address" objects for entire domains (can I?!) and if I add a URL category and create a rule at the top of my ruleset that allow source "any" to destination "any" with service-http, service-https and application "any", and add the URL category that contans the domains above, I seem to see a lot of matches that I wouldn't expect to, as if other traffic is hitting them.

Feels like I've overlooked something daft... thanks!

Re: Rule too allow access to group of URLs?

Anon1 — Fri, 21 Oct 2016 20:17:00 GMT

Maybe you can use the AppID "sophos-update" with service "application-default" and URL category "any"?

Re: Rule too allow access to group of URLs?

networkadmin — Wed, 26 Oct 2016 19:21:51 GMT

Thanks but that doesn't work, I guess Sophos Central isn't quite the same app.

Using the URL filter on a rule that only applies to my own PC I'm seeing Dropbox and other random stuff match the rule.

Tbh I didn't expect that something that on paper looks so simple would prove so difficult for a Palo Alto box.

Re: Rule too allow access to group of URLs?

Brandon_Wertz — Fri, 28 Oct 2016 13:27:46 GMT

@networkadmin wrote:
...if I add a URL category and create a rule at the top of my ruleset that allow source "any" to destination "any" with service-http, service-https and application "any", and add the URL category that contans the domains above, I seem to see a lot of matches that I wouldn't expect to, as if other traffic is hitting them.

Feels like I've overlooked something daft... thanks!

How are you "adding the URL categpry?" Are you adding it in the security policy or in a URL profile?

Re: Rule too allow access to group of URLs?

networkadmin — Fri, 28 Oct 2016 14:08:56 GMT

@Brandon_Wertz wrote:
@networkadmin wrote:
...if I add a URL category and create a rule at the top of my ruleset that allow source "any" to destination "any" with service-http, service-https and application "any", and add the URL category that contans the domains above, I seem to see a lot of matches that I wouldn't expect to, as if other traffic is hitting them.

Feels like I've overlooked something daft... thanks!

How are you "adding the URL categpry?" Are you adding it in the security policy or in a URL profile?

Trying on the security policy as if I try adding on a URL profile it would have the effect of blocking everything else.

Re: Rule too allow access to group of URLs?

Brandon_Wertz — Fri, 28 Oct 2016 18:43:01 GMT

I'm getting confused by what you're saying you're trying to do and how you're creating a policy to accomplish that.

You said you created a security policy with ANY source / dest / application. That uses service http/https.

What I'm curious about is are you using a custom URL object within the security policy on the "services" tab, or are you using a URL profile with the custom URL object you're referring to?

Since you've got an any / any /any rule it's natural for the other traffic to match this rule. It's only until the domain matching occurs that traffic would transition to a different rule in your firewall. All that other "random stuff" you reference is occurring over ports 80 and 443 so it initially matches.

Re: Rule too allow access to group of URLs?

networkadmin — Fri, 28 Oct 2016 19:00:19 GMT

@Brandon_Wertz wrote:
I'm getting confused by what you're saying you're trying to do and how you're creating a policy to accomplish that.

You said you created a security policy with ANY source / dest / application. That uses service http/https.

What I'm curious about is are you using a custom URL object within the security policy on the "services" tab, or are you using a URL profile with the custom URL object you're referring to?

Since you've got an any / any /any rule it's natural for the other traffic to match this rule. It's only until the domain matching occurs that traffic would transition to a different rule in your firewall. All that other "random stuff" you reference is occurring over ports 80 and 443 so it initially matches.

Thanks for the reply and hopefully this will clarify.

I'm adding the URL category to the Service/URL category tab on the security policy rule.

Re: Rule too allow access to group of URLs?

BPry — Fri, 28 Oct 2016 19:26:21 GMT

I think what @Brandon_Wertz is saying is that additonal traffic would hit this rule and match until it actually did the URL check. You would then need to have a rule after this one that would allow your other traffic to actually work, otherwise it would drop into the default 'deny' rule and your traffic would drop off.