topic Allow only MS Intune and Windows Update - block all internet access in General Topics

Allow only MS Intune and Windows Update - block all internet access

kams19 — Thu, 13 Aug 2020 11:41:00 GMT

HI,

I am after permitting only MS Intune and Windows Update - block all internet access.

I have followed the custom URL filtering as mentioned in the link below:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRfCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Created the custom url filter:

then created a policy allowing - web-browsing, ssl and ms-update

selected correct URL-category::

Time to Test: destination IP is for portal.manage.microsoft.com and it hits the correct policy

but when I try with google.com IP address, that also hits the same policy

From the above it seems that google.com will also be allowed?

I dont have an actual host to test the same, hence tested it from the Troubleshooting section of the firewall.

To me it seems that the firewall is permitting any url being accessed over ssl, and ignoring the URL category.

The main reason for using custom URL filter is that I want to use wildcard FQDN.

Can someone suggest why the URL filtering is not taking effect.

Thanks.

Re: Allow only MS Intune and Windows Update - block all internet access

Remo — Thu, 13 Aug 2020 14:28:44 GMT

Hi @kams19

With that rule theoreticaĺly every IP will match. Because of that you also configured the custom URL category. So when a host tries to connect to google.com, the tcp handshake will succed, but in the TLS handshake, the firewaĺl will see the hostname and from that point on the connection will no longer match your windows update rule and it will be dropped (except if you have some more rules that could match for that connection). In the policy match test, if you choose also the URL category, then the result will show what you actually expected.

Re: Allow only MS Intune and Windows Update - block all internet access

kams19 — Thu, 13 Aug 2020 14:39:42 GMT

HI @Remo, Thanks for your reply, now I understand the logic behind this. I did select the URL category as you mentioned but I am getting this error now:

Any idea why this should happen?

Re: Allow only MS Intune and Windows Update - block all internet access

Remo — Thu, 13 Aug 2020 15:28:30 GMT

@kams19 it looks like this is a bug. Only the paloalto url categories work and every custom url category leads to this error. I tested with PAN-OS 10.

Re: Allow only MS Intune and Windows Update - block all internet access

kams19 — Thu, 13 Aug 2020 15:51:49 GMT

@Remo

For CLI, PA has mentioned the workaround as per https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLjeCAG

But that is assuming multi vsys config. My case is single vsys and single virtual router. There is no option on GUI to select vsys and VR.

I believe tomorrow I should have someone on site and I will ask them to connect their laptop to verify this.

Re: Allow only MS Intune and Windows Update - block all internet access

Remo — Thu, 13 Aug 2020 16:28:18 GMT

Hi @kams19

Thanks for bringing this to my attention. With this I tried again. So if you manually add "vsys1+" in front of the URL category name, the test works and no longer shows an error. I also tested on a firewall with a single vsys - so there is only vsys1.

Re: Allow only MS Intune and Windows Update - block all internet access

kams19 — Thu, 13 Aug 2020 16:34:13 GMT

@Remo

I dont have ssh connection to the firewall at the moment, trying to get my local laptop firewall sorted.

I dont think there is a way this can be done from GUI?

Re: Allow only MS Intune and Windows Update - block all internet access

Remo — Thu, 13 Aug 2020 16:50:22 GMT

What I meant was that you should add "vsys1+" in the GUI. At least in my case it was working in CLI and WebUI.

Re: Allow only MS Intune and Windows Update - block all internet access

kams19 — Thu, 13 Aug 2020 17:31:26 GMT

@Remo

ok got it working on the Troubleshooting section-

will see how the policy is applied in action tomorrow and update