https://live.paloaltonetworks.com/t5/general-topics/query-on-url-filtering/m-p/254476#M72222 <P>Thank you for the explanation Bpry.</P><P>Is there any scenraio where you would right a URL rule like&nbsp;</P><P>&nbsp;</P><P>Both in Allow rule,</P><P>&nbsp;</P><P>sega.com&nbsp;</P><P>*.sega.com/*. &nbsp; "This statement includes the First URL right, correct me If I am wrong.</P><P>&nbsp;</P><P>Thank you</P> Thu, 21 Mar 2019 04:26:25 GMT amocherla 2019-03-21T04:26:25Z https://live.paloaltonetworks.com/t5/general-topics/query-on-url-filtering/m-p/254433#M72214 <P>I found this article on URL filtering.</P><P>My question is how is *.baidu.com not allowing mp3.baidu.com or news.baidu.com as well</P><P>What does *. signify or equate to this scenario.</P><P>&nbsp;</P><P>ALso is there is any need or scenario in which we would need to add&nbsp;</P><P><A href="http://www.baidu.com" target="_blank" rel="noopener">www.baidu.com</A></P><P>*.baidu.com as rules in Custom URL category.</P><P>&nbsp;</P><P>Any Help would be appreciated.</P><P>&nbsp;</P><P>&nbsp;</P><P>HOW TO ALLOW ONE URL AND BLOCK OTHER ASSOCIATED URLS</P><DIV><SPAN>11171</SPAN></DIV><DIV><SPAN class="synopsis-grey">Created On&nbsp;02/07/19 23:48 PM - Last Updated&nbsp;02/07/19 23:48 PM</SPAN></DIV><DIV class="topics"><STRONG><SPAN class="slds-badge">URL FILTERING</SPAN></STRONG></DIV><P><SPAN>Resolution<BR /></SPAN></P><P>&nbsp;</P><P>Overview</P><P>This describes how to allow a single URL and block other associated URLs. In this example <A href="http://www.baidu.com" target="_blank" rel="noopener">www.baidu.com</A> will be allowed but mp3.baidu.com and news.baidu.com will be blocked.</P><P>&nbsp;</P><P>Steps</P><P><SPAN>Use one of the following two configuration options.</SPAN></P><P><SPAN><STRONG>Option 1: Use URL Category</STRONG></SPAN></P><OL><LI>Go to Objects &gt; Custom URL Category, and create a category called "Baidu," for example. Add "*.baidu.com" to the category.</LI><LI>Go to Objects &gt; Custom URL Category, and create a category called "Everything," for example. Add "*" to the category. This will cover all URLs.</LI><LI>Add a security policy that permits from any to any.</LI><LI>Under Service/URL Category, add the category "Baidu."</LI><LI>Add another security policy that blocks from any to any. Under Service/URL Category add the category "Everything."<BR />The first rule should permit access to *.baidu.com, while the second rule should act as a catch-all rule that blocks access to all URLs.</LI></OL><P>&nbsp;</P><P><STRONG>Option 2: Use URL filtering</STRONG></P><OL><LI>Go to Objects &gt; Custom URL Category, and create a category called "Baidu" for example. Add "*.baidu.com" to the category.</LI><LI>Go to Objects &gt; URL Filtering, and create a url filtering profile called "Baidu-URL."</LI><LI>Select the category "Baidu" to allow and the rest of the categories to block. This will block all URLs except <A href="http://www.baidu.com" target="_blank" rel="noopener">www.baidu.com</A>.</LI><LI>Add a security policy that permits from any to any. Under Actions &gt; Profile Setting &gt; Profile Type &lt;select profiles&gt;, select the url filtering profile "Baidu-URL."<BR /><STRONG>Note:</STRONG> This rule should only permit access to *.baidu.com.</LI></OL><P>&nbsp;</P><P>owner:&nbsp; bpappas</P> Wed, 20 Mar 2019 20:28:20 GMT https://live.paloaltonetworks.com/t5/general-topics/query-on-url-filtering/m-p/254433#M72214 amocherla 2019-03-20T20:28:20Z https://live.paloaltonetworks.com/t5/general-topics/query-on-url-filtering/m-p/254445#M72217 <P>Hello,</P><P>Looks like a typo in the document.&nbsp;<SPAN>*.baidu.com would allow mp3.baidu.com or news.baidu.com.&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Good catch!</SPAN></P> Wed, 20 Mar 2019 21:01:45 GMT https://live.paloaltonetworks.com/t5/general-topics/query-on-url-filtering/m-p/254445#M72217 OtakarKlier 2019-03-20T21:01:45Z https://live.paloaltonetworks.com/t5/general-topics/query-on-url-filtering/m-p/254452#M72218 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/109271">@amocherla</a>,</P><P>As&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;mentioned the document is wrong. *.baidu.com would still allow&nbsp;<EM>anything</EM>.baidu.com. You can however do this easily enough, you simply need to keep in mind the order of the firewall processes the request:</P><P>&nbsp;</P><P><STRONG>URL Filtering</STRONG></P><P>1) Block List</P><P>2) Allow List</P><P>3) Custom Categories</P><P>4) Cache</P><P>5) Pre-Defined Categories</P><P>&nbsp;</P><P><STRONG>URL Categorie Actions:</STRONG></P><P><STRONG>1) Block</STRONG></P><P><STRONG>2) Override</STRONG></P><P><STRONG>3) Continue</STRONG></P><P><STRONG>4) Alert</STRONG></P><P><STRONG>5) Allow</STRONG></P><P>&nbsp;</P><P>I think this is what the article was trying to get at; one thing to keep in mind with the knowledgebase is that any Palo employee can make an entry, so they aren't always actually&nbsp;<EM><STRONG>right</STRONG></EM><EM>.&nbsp;</EM></P> Wed, 20 Mar 2019 23:11:32 GMT https://live.paloaltonetworks.com/t5/general-topics/query-on-url-filtering/m-p/254452#M72218 BPry 2019-03-20T23:11:32Z https://live.paloaltonetworks.com/t5/general-topics/query-on-url-filtering/m-p/254476#M72222 <P>Thank you for the explanation Bpry.</P><P>Is there any scenraio where you would right a URL rule like&nbsp;</P><P>&nbsp;</P><P>Both in Allow rule,</P><P>&nbsp;</P><P>sega.com&nbsp;</P><P>*.sega.com/*. &nbsp; "This statement includes the First URL right, correct me If I am wrong.</P><P>&nbsp;</P><P>Thank you</P> Thu, 21 Mar 2019 04:26:25 GMT https://live.paloaltonetworks.com/t5/general-topics/query-on-url-filtering/m-p/254476#M72222 amocherla 2019-03-21T04:26:25Z