topic Re: Custom URL Category in General Topics

Custom URL Category

Mick_Ball — Thu, 03 Aug 2017 16:53:21 GMT

I have a test url category with only one url. i have applied this url category to a test policy, not using a profile but directly in the policy under "service/url category".

when i browse to the site it uses the correct policy to allow the request...

however... any other traffic that cannot be decrypted is showing in the traffic logs as url category "Any" and this is also allowed via my test policy.

am i missing something here?.....

Mick.

Re: Custom URL Category

Raido_Rattameister — Thu, 03 Aug 2017 17:39:09 GMT

If you don't decrypt traffic then HTTP GET goes inside encrypted payload and Palo identifies site based on name on the certificate. So check what name cert has on it.

Re: Custom URL Category

Mick_Ball — Thu, 03 Aug 2017 17:53:05 GMT

Raido, thanks for your reply. I was aware of non decrypted procedure on palo and can assure you that the cert name of these sites does not match the url in the custom category.

i cannot understand why firstly these allowed sites are catagorised as "url category ANY" and secondly why they are allowed through the policy where the url cat is "test" not "any".

mick.

Re: Custom URL Category

Remo — Thu, 03 Aug 2017 18:31:38 GMT

Additional information: rhe firewall does know the exact fqdn (in almost every case), because in the TLS hanshake there is the SNI attribute where the fqdn is sent in cleartext.

Re: Custom URL Category

gwesson — Thu, 03 Aug 2017 18:36:51 GMT

Check your traffic log to see if there's any actual bi-directional traffic hitting it. If there are only a few packets, it's not actually matching that policy in a real way.

When a TCP connection first starts out, the 3-way handshake can't have the concept of a URL category so that much is allowed on your test rule as it could belong to that custom category. Once the Client Hello (or whatever else the traffic is, like an HTTP GET or some other protocol entirely), then the firewall has enough information to know it doesn't belong to that custom category, marking the session as Discard.

Since the initial packets were allowed via your test rule, the firewall logs that as the rule.

Re: Custom URL Category

Mick_Ball — Thu, 03 Aug 2017 18:41:13 GMT

Gwesson, wow... Thanks.... Good point. I will check in the morning and update.

mick.

Re: Custom URL Category

Mick_Ball — Fri, 04 Aug 2017 09:07:47 GMT

Gwesson, thankyou for your time and explanation. you are correct in your explanation. I changed the logging to "session end" and now see no traffic passing through the test policy (of course it actually still is but only for the reason that you explained earlier).

I can't thank you enough.

Mick.

Re: Custom URL Category

Sec101 — Fri, 10 May 2019 18:54:45 GMT

Does this URL category (URL column and URL Profile) match initially on other rules as well, say for instance if you have a couple of rules that allow ssl/web browsing, and are being decrypted, and one has custom URL category column, and one has simply a profile?

Re: Custom URL Category

Remo — Sat, 11 May 2019 18:11:29 GMT

@Sec101

Traffic will always match only one rule. Even if there could be multiple matches, the first rule that matches will be applied. Only adding the URL category directly into the rule is a matching criteria, not the URL profile.

Re: Custom URL Category

MP18 — Sat, 11 May 2019 19:17:18 GMT

Great explanation!