topic Re: URL filtering in General Topics

URL filtering

jdprovine — Thu, 13 Jul 2017 16:47:48 GMT

Is there anyway to add a URL filtering for an individual address?

Re: URL filtering

BPry — Thu, 13 Jul 2017 17:07:42 GMT

You could always create a custom security policy for that address and assign the URL Filtering profile directly to that one profile. Would that work for what you are trying to do?

Re: URL filtering

TranceforLife — Thu, 13 Jul 2017 17:21:26 GMT

Agree, URL filtering profiles per policy basis not per ip. One profile (or group) per policy. Get a separate policy as @BPry has already mentioned

Re: URL filtering

jdprovine — Thu, 13 Jul 2017 18:55:24 GMT

okay so I make a url filtering profile for one single web address that we want to block and then create a security policy with that profile in it.

So if I can do this what does the url filtering subscription get you, we currently do no have it

Re: URL filtering

jdprovine — Thu, 13 Jul 2017 19:12:26 GMT

@BPry - forgot to tag you

okay so I make a url filtering profile for one single web address that we want to block and then create a security policy with that profile in it.

So if I can do this what does the url filtering subscription get you, we currently do no have it

Re: URL filtering

Remo — Thu, 13 Jul 2017 19:15:59 GMT

If you only want to log the accessed url's, allow only specific url's for example to a dmz server or as in your case you only need to block one (ore more) specific address(es) --> ther is no need for the url subscription

With the url subscription you can apply actions based on url categories. Here a few examples:

Block malware, phishing, peer2peer, dyn-dns, unknown
If your company policy does not allow social media
Allow downloads on all websites exept risky categories
With PAN-OS 8: allow your users to enter credentials on benign websites but not on unknown
...

The list with possibilities is nearly endless 😉

But the main point is, that the subscription is for these categories and this is a point which you definately cannot do by yourself.

(Of course there are also other possibilities for "url filtering" for example DNS based, but this never gives you the control as you have it with actual http based url filtering)

Re: URL filtering

jdprovine — Thu, 13 Jul 2017 19:26:52 GMT

@Remo

But you know it might get very burdomson to manage if I start trying manually add url's, people may request them to be blocked frequently

Re: URL filtering

Remo — Thu, 13 Jul 2017 19:45:46 GMT

With EDLs this task is pretty easy to manage.

And for websites in the wrong category our users simply have to wait until PaloAlto moves them to the right category (this process is at least much faster than with brightcloud) ... there still will be urgent requests but we did not have much of them in the past

Re: URL filtering

jdprovine — Thu, 13 Jul 2017 20:13:57 GMT

@Remo

when you are talking about EDL - External dynamic lists correct you mean ,list like MISP, emerging threat etc

Re: URL filtering

Remo — Thu, 13 Jul 2017 20:37:23 GMT

Exactly I meant external dynamic lists ... such a list you can also use for the allow/block request from your users. Simply place it on an internal webserver where you can edit the file easily (with ftps, scp, smb) and a few minutes later (depending on how often you configure the sync) the website is allowed/blocked ondm your or (this is an even greater advantage) on all the firewalls you manage

Re: URL filtering

jdprovine — Thu, 13 Jul 2017 21:04:25 GMT

@Remo

Yes we have two or three of them and are using them as you and @BPry have suggested but I got a request to create a block for a specific URL that he couldn't find in one of the EDL lists that we have. It is possible of the other lists may have that url is there anyway to check on the PA

Re: URL filtering

BPry — Thu, 13 Jul 2017 21:15:47 GMT

@jdprovine,

Sure run the following in the CLI after you have modified it to match what you are looking for;

'request system external-list show type url name name'

You can then check against your EDLs easy enough. Sadly I don't believe there is a way to '| match' on this request.

Re: URL filtering

jdprovine — Thu, 13 Jul 2017 21:20:55 GMT

@BPry

Awesome I will check my other EDL lists

So what do you think about creating a rule/profile for just one URL

Re: URL filtering

BPry — Thu, 13 Jul 2017 22:38:05 GMT

@jdprovine,

Depending on why the URL is needing to be blocked then yes. Generally though I would say that you should configure controllable EBLs, one for IP addresses and one for URLs, and then set them to auto-update at a resonable rate. This allows you to quickly deal with any issues like this and you don't really have to worry about them potentially not being on an EBL that you don't control.

Re: URL filtering

jdprovine — Fri, 14 Jul 2017 13:15:12 GMT

@BPry

We have had those kinds of lists set up for quite awhile but one of my coworker got an alert from bitsight about this URL

With this IP address 195.38.137.100and URL update.newinfoclientstack.com that is not in any of the EDL list that we currently have set up and asked if I could create a block list for that specific IP address. My first thought is that if I do it once I will start get a lot of requests for individual addresses. So I was looking for away to avoid that