https://live.paloaltonetworks.com/t5/general-topics/source-based-custom-url-lists/m-p/133807#M47263 <P>All,</P><P>&nbsp;</P><P>Does anyone know a way to setup source-based Custom URL Lists containing domains as an alternative to using source-based IP addresses and address groups? &nbsp;I don't think it's possible in any of the current versions of PAN-OS but i am looking at options.&nbsp;</P><P><BR />For example, if i want to limit inbound SMTP to our edge Exchange server from the Microsoft Exchange Online cloud, I have to add 24 IP addresses that resolve to <EM>*.outbound.protection.outlook.com</EM>. &nbsp;It would be a way better solution to just allow IP's that all resolve to a&nbsp;<SPAN><EM>*.outbound.protection.</EM></SPAN><EM>outlook.</EM><SPAN><EM>com</EM>&nbsp;contained in a Custom URL.</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Am I just missing something here? &nbsp;Is there a better way to do this?</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>-Matt</SPAN></P> Tue, 20 Dec 2016 20:18:02 GMT mlinsemier 2016-12-20T20:18:02Z https://live.paloaltonetworks.com/t5/general-topics/source-based-custom-url-lists/m-p/133807#M47263 <P>All,</P><P>&nbsp;</P><P>Does anyone know a way to setup source-based Custom URL Lists containing domains as an alternative to using source-based IP addresses and address groups? &nbsp;I don't think it's possible in any of the current versions of PAN-OS but i am looking at options.&nbsp;</P><P><BR />For example, if i want to limit inbound SMTP to our edge Exchange server from the Microsoft Exchange Online cloud, I have to add 24 IP addresses that resolve to <EM>*.outbound.protection.outlook.com</EM>. &nbsp;It would be a way better solution to just allow IP's that all resolve to a&nbsp;<SPAN><EM>*.outbound.protection.</EM></SPAN><EM>outlook.</EM><SPAN><EM>com</EM>&nbsp;contained in a Custom URL.</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Am I just missing something here? &nbsp;Is there a better way to do this?</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>-Matt</SPAN></P> Tue, 20 Dec 2016 20:18:02 GMT https://live.paloaltonetworks.com/t5/general-topics/source-based-custom-url-lists/m-p/133807#M47263 mlinsemier 2016-12-20T20:18:02Z https://live.paloaltonetworks.com/t5/general-topics/source-based-custom-url-lists/m-p/133869#M47268 <P>URL categories can be used for web-browsing traffic not SMTP.</P><P>For other traffic you can use IP's or address objects. Address object can be FQDN so name.</P><P><A title="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-and-Test-FQDN-Objects/ta-p/61903" href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-and-Test-FQDN-Objects/ta-p/61903" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-and-Test-FQDN-Objects/ta-p/61903</A></P><P>Most likely this will not resolve your wish to match *. addresses.</P><P>&nbsp;</P><P>Palo Alto has tool MimeMeld &nbsp;( <A title="https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld" href="https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld" target="_blank">https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld</A>&nbsp;) that can pull info from diferent sources (for example MS IP list&nbsp;<A title="https://support.content.office.net/en-us/static/O365IPAddresses.xml" href="https://support.content.office.net/en-us/static/O365IPAddresses.xml" target="_blank">https://support.content.office.net/en-us/static/O365IPAddresses.xml</A>&nbsp;) and Palo can pull this info from MimeMeld and you can use this data in source ip address field of your policy.</P> Wed, 21 Dec 2016 04:33:11 GMT https://live.paloaltonetworks.com/t5/general-topics/source-based-custom-url-lists/m-p/133869#M47268 Raido_Rattameister 2016-12-21T04:33:11Z https://live.paloaltonetworks.com/t5/general-topics/source-based-custom-url-lists/m-p/134059#M47300 <P>This offers some clarity to URL categories as I was always curious on web-browsing/ssl traffic or say a protocol like SMTP using TLS1 (ssl). &nbsp;This actually make much more sense now going forward.</P><P>&nbsp;</P><P>You are right by saying using FQDN will not work as I cannot use *.domain.com in it which is what really i want to be able to do. &nbsp;Ulitimately i ended up adding the 24 host subnets&nbsp;which resolves the issue, but being able to do wildcard source domains would be way cleaner as unless the domain and subdomains change completely, you would never have to update a IP list again.&nbsp;</P><P>&nbsp;</P><P>I will take a look at the MineMeld tool as well. &nbsp;I wanted to look at this in the past, I just ran out of cycles to do so. &nbsp;</P><P><BR />Thanks for this!</P><P>&nbsp;</P><P>Matt</P> Wed, 21 Dec 2016 18:03:11 GMT https://live.paloaltonetworks.com/t5/general-topics/source-based-custom-url-lists/m-p/134059#M47300 mlinsemier 2016-12-21T18:03:11Z https://live.paloaltonetworks.com/t5/general-topics/source-based-custom-url-lists/m-p/134060#M47301 <P>Few more bits.</P><P>URL category is compared to HTTP GET request field.</P><P>If you don't decrypt SSL/TLS then this flies by in encrypted payload and Palo can only read data on certificate and compare this to URL category.</P><P>&nbsp;</P><P>FQDN resolves name to IP's (like if you run nslookup <A href="http://www.microsoft.com" target="_blank">www.microsoft.com</A> from command prompt) and it is impossible to resolve *.microsoft.com against dns server.&nbsp;</P> Wed, 21 Dec 2016 18:41:31 GMT https://live.paloaltonetworks.com/t5/general-topics/source-based-custom-url-lists/m-p/134060#M47301 Raido_Rattameister 2016-12-21T18:41:31Z