https://live.paloaltonetworks.com/t5/general-topics/url-category-in-security-policy-only-for-http/m-p/253322#M71952 <P>We unfortunately use a smtp server with fqdn. (cannot use fqdn object for certain reasons)</P><P>And we implemented a security policy with the url category in the "Service/URL Category" section of the security policy.</P><P>In the security policy, the application allowed is smtp and port allowed is 25.</P><P>When we test, the connection does not match this rule at all. We are making sure that indeed the application tirggered is smtp on port 25.</P><P>&nbsp;</P><P>So is URL Category in Security Policy only applied when the application is web-browsing/ssl and port is 80/443 ?</P><P>&nbsp;</P><P>BR,</P><P>RJ</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Mar 2019 12:46:23 GMT rjdahav163 2019-03-12T12:46:23Z https://live.paloaltonetworks.com/t5/general-topics/url-category-in-security-policy-only-for-http/m-p/253322#M71952 <P>We unfortunately use a smtp server with fqdn. (cannot use fqdn object for certain reasons)</P><P>And we implemented a security policy with the url category in the "Service/URL Category" section of the security policy.</P><P>In the security policy, the application allowed is smtp and port allowed is 25.</P><P>When we test, the connection does not match this rule at all. We are making sure that indeed the application tirggered is smtp on port 25.</P><P>&nbsp;</P><P>So is URL Category in Security Policy only applied when the application is web-browsing/ssl and port is 80/443 ?</P><P>&nbsp;</P><P>BR,</P><P>RJ</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Mar 2019 12:46:23 GMT https://live.paloaltonetworks.com/t5/general-topics/url-category-in-security-policy-only-for-http/m-p/253322#M71952 rjdahav163 2019-03-12T12:46:23Z https://live.paloaltonetworks.com/t5/general-topics/url-category-in-security-policy-only-for-http/m-p/253330#M71953 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/44973">@rjdahav163</a> ,</P> <P>&nbsp;</P> <P>Any application with a dependency on web-browsing.</P> <P>&nbsp;</P> <P>Cheers !</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Tue, 12 Mar 2019 13:15:07 GMT https://live.paloaltonetworks.com/t5/general-topics/url-category-in-security-policy-only-for-http/m-p/253330#M71953 kiwi 2019-03-12T13:15:07Z https://live.paloaltonetworks.com/t5/general-topics/url-category-in-security-policy-only-for-http/m-p/253337#M71955 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>&nbsp;</P><P>&nbsp;</P><P>Thanks for the quick reply! But then how to solve the issue:</P><P>We want to allow smtp on port 25 only as application and destination is a url category, attached in "service/url category" of a security policy. (We are not using fqdn object because the refresh time can be minimum only 10 minutes and the server changes the ip more frequently)</P><P>&nbsp;</P><P>So any suggestions?</P><P>&nbsp;</P><P>BR,</P><P>RJ</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Mar 2019 13:46:53 GMT https://live.paloaltonetworks.com/t5/general-topics/url-category-in-security-policy-only-for-http/m-p/253337#M71955 rjdahav163 2019-03-12T13:46:53Z https://live.paloaltonetworks.com/t5/general-topics/url-category-in-security-policy-only-for-http/m-p/253339#M71957 <P>to answer your first question "<SPAN>So is URL Category in Security Policy only applied when the application is web-browsing/ssl and port is 80/443 ?" i believe the answer is no.&nbsp; the url category can match on any port or application.</SPAN></P><P>&nbsp;</P><P>as for a possible solution to the problem;&nbsp; have you tried using a seperate security profile with a custom url-filtering profile that allows the category?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Mar 2019 14:53:48 GMT https://live.paloaltonetworks.com/t5/general-topics/url-category-in-security-policy-only-for-http/m-p/253339#M71957 BetterGriffin 2019-03-12T14:53:48Z https://live.paloaltonetworks.com/t5/general-topics/url-category-in-security-policy-only-for-http/m-p/253374#M71962 <P>If you cannot use the fqdn, I would create an address group with all the possible IP's the fqdn resolves to and use that as the destination.</P><P>(If it changes so rapidly, I presume it's for load balancing and the number of IP's will be limited...)</P> Tue, 12 Mar 2019 17:09:42 GMT https://live.paloaltonetworks.com/t5/general-topics/url-category-in-security-policy-only-for-http/m-p/253374#M71962 CHKlomp 2019-03-12T17:09:42Z https://live.paloaltonetworks.com/t5/general-topics/url-category-in-security-policy-only-for-http/m-p/253519#M71975 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>&nbsp;wrote:<BR /><P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/44973">@rjdahav163</a> ,</P><P>&nbsp;</P><P>Any application with a dependency on web-browsing.</P><P>&nbsp;</P><P>Cheers !</P><P>-Kiwi.</P><DIV>&nbsp;</DIV><HR /></BLOCKQUOTE><P>May I add that you can use URL categories not only for web-browsing dependent applications. Actually also for almost every TLS encrypted connection like SMTPs. So if your connection is encrypted the solution with an URL category probably works as the firewalls also checks for hostnames in the SNI extension and also the CN of a certificate in a TLS connection.</P> Tue, 12 Mar 2019 22:08:27 GMT https://live.paloaltonetworks.com/t5/general-topics/url-category-in-security-policy-only-for-http/m-p/253519#M71975 Remo 2019-03-12T22:08:27Z