https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/350774#M87000 <P>HI,</P><P>&nbsp;</P><P>I Have created custom URL category e.g&nbsp; category name (*.xyz.com) Now I want to create inbound rule like below.</P><P>&nbsp;</P><P>Source zone :- Internet&nbsp;</P><P>Destination Zone :- LAN</P><P>Destination IP :- Any</P><P>Port :- 389 , 4172</P><P>URL Categary :- 'Custome category'</P><P>Security Profile : Any</P><P>&nbsp;</P><P>My doubt is will this work on port 389 and 4172 port or this will work only on http and https port</P><P>&nbsp;</P><P>Thanks</P><P>Dhananjay Bhakte</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 21 Sep 2020 06:15:36 GMT DhananjayBhakte 2020-09-21T06:15:36Z https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/350774#M87000 <P>HI,</P><P>&nbsp;</P><P>I Have created custom URL category e.g&nbsp; category name (*.xyz.com) Now I want to create inbound rule like below.</P><P>&nbsp;</P><P>Source zone :- Internet&nbsp;</P><P>Destination Zone :- LAN</P><P>Destination IP :- Any</P><P>Port :- 389 , 4172</P><P>URL Categary :- 'Custome category'</P><P>Security Profile : Any</P><P>&nbsp;</P><P>My doubt is will this work on port 389 and 4172 port or this will work only on http and https port</P><P>&nbsp;</P><P>Thanks</P><P>Dhananjay Bhakte</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 21 Sep 2020 06:15:36 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/350774#M87000 DhananjayBhakte 2020-09-21T06:15:36Z https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/350795#M87005 <P>Hey,</P><P>&nbsp;</P><P>could you please clarify what you are trying to achieve here? The application and the service are independend of each other. You can easily create a rule allowing SSL and Web-Browsing on port 389 and 4172.</P> Mon, 21 Sep 2020 07:58:29 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/350795#M87005 Rene_Boehme 2020-09-21T07:58:29Z https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/350797#M87007 <P>HI Rene,</P><P>&nbsp;</P><P>I have requirement from customer to open port 389 and 4172 for eg *.xyz domain.</P><P>So I created custom category *.xyz.com and have to create rule by calling this category into rule and will allow only 389 and 4172 ports.</P><P>As far my understanding url category work only for ssl and web-browsing traffic, so just wanted to know if I keep url category in rule for port port 389 and 4172 will that rule work?</P><P>&nbsp;</P><P>Thanks</P><P>Dhananjay</P> Mon, 21 Sep 2020 08:42:42 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/350797#M87007 DhananjayBhakte 2020-09-21T08:42:42Z https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/350798#M87008 <P>Hi,</P><P>&nbsp;</P><P>ok now I got you. So you are correct URL filtering is working with http/https only. Futhermore it is kind of uncommon to have URL filtering active in inwards direction. So I saw the request for port 389 which is basically LDAP, dont know for 4172. However please make yourself familiar with the conecpt of an "application firewall" - we do not open ports anymore. But in term of customers request you are right, this is not going to work.</P> Mon, 21 Sep 2020 08:48:44 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/350798#M87008 Rene_Boehme 2020-09-21T08:48:44Z https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/350817#M87010 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/129413">@DhananjayBhakte</a>&nbsp;,</P><P>&nbsp;</P><P>It sounds like you need FQDN not URL.&nbsp;</P><P>You can use FQDN object as source or destination address in the policy. Firewall will query the DNS server and use this fqdn to resolve it to IP address. The received IP will be cached for configured amount of time (probably 30min was the default, but not sure).&nbsp;</P><P>Given the port from your description it sound be more reasonable to use FQDN instead of URL filtering.&nbsp;</P><P>&nbsp;</P><P>To be more precise URL custom category&nbsp; will work with web-based application. If you think for a bit it is logical - firewall needs to know which part of the traffic is the URL, so it doesn't matter what port you are using</P> Mon, 21 Sep 2020 10:49:11 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/350817#M87010 aleksandar.astardzhiev 2020-09-21T10:49:11Z https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/350849#M87012 <P>HI Alexzandar,</P><P>&nbsp;</P><P>Traffic is not URL traffic and its application is not applicable.&nbsp;</P><P>For known fqdn e.g abc.xyz.com it is possible to write rule however fqdn is not fixed, customer says fqdn will change every time but domain (xyz.com) would be fixed, So my query is Can I allow wildcast *.xyz.com instead of single fqdn in security policy using custom url category for custom ports.?</P><P>&nbsp;</P><P>Thanks</P><P>Dhananjay Bhakte</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 21 Sep 2020 12:50:00 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/350849#M87012 DhananjayBhakte 2020-09-21T12:50:00Z https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/352051#M87126 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/129413">@DhananjayBhakte</a>&nbsp;wrote:<BR /><P>HI <A title="tellthebell" href="https://www.tellthebell.one/" target="_blank" rel="noopener">tellthebell</A></P><P>&nbsp;</P><P>Traffic is not URL traffic and its application is not applicable.&nbsp;</P><P>For known fqdn e.g abc.xyz.com it is possible to write rule however fqdn is not fixed, customer says fqdn will change every time but domain (xyz.com) would be fixed, So my query is Can I allow wildcast *.xyz.com instead of single fqdn in security policy using custom url category for custom ports.?</P><P>&nbsp;</P><P>Thanks</P><P>Dhananjay Bhakte</P><HR /></BLOCKQUOTE><P>You can use FQDN object as source or destination address in the policy. Firewall will query the DNS server and use this fqdn to resolve it to IP address. The received IP will be cached for configured amount of time (probably 30min was the default, but not sure).&nbsp;</P><P>Given the port from your description it sound be more reasonable to use FQDN instead of URL filtering.&nbsp;</P> Mon, 28 Sep 2020 04:07:44 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/352051#M87126 couvertjy 2020-09-28T04:07:44Z https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/352982#M87261 <P>HI Couvertjy,</P><P>&nbsp;</P><P>Now I allow policy as below,</P><P>Source Zone :- Internet</P><P>Source IP address:-&nbsp; x.x.x.x</P><P>Destination Zone :- Lan</P><P>Destination IP address:- Any</P><P><STRONG>Custom URL Categary :- *.xyz.com</STRONG></P><P>Port :389 and 8759</P><P>Action : Allow</P><P>&nbsp;</P><P>It is working, but my question is still there as *.xyz.com is hosted on internet so how can firewall allowing&nbsp; xyz.com fqdn to access ports on Lan zone through Custom URL category?. So here URL category is acting as source IP . So is it possible that custom url category can act as source or destination IP.</P><P>&nbsp;</P><P>Thanks</P><P>Dhananjay Bhakte</P> Wed, 30 Sep 2020 13:43:45 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/352982#M87261 DhananjayBhakte 2020-09-30T13:43:45Z https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/352983#M87262 <P>let me correct my below comment</P><P>&nbsp;</P><P>Source IP also any&nbsp;</P><P>&nbsp;</P><P>Source Zone :- Internet</P><P>Source IP address:-&nbsp; any</P><P>Destination Zone :- Lan</P><P>Destination IP address:- Any</P><P><STRONG>Custom URL Categary :- *.xyz.com</STRONG></P><P>Port :389 and 8759</P><P>Action : Allow</P> Wed, 30 Sep 2020 13:46:00 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/352983#M87262 DhananjayBhakte 2020-09-30T13:46:00Z https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/423405#M94158 <P>HI,</P><P>&nbsp;</P><P>In addition to above query, I got new requirement from customer as below</P><P>&nbsp;</P><P>Source Zone : trust</P><P>Source user :- abc</P><P>Destination Zone :- Untrust(internet)</P><P>Destination :-&nbsp; *.ncra.tifr.res.in</P><P>Port : 22</P><P>Application: SSH</P><P>&nbsp;</P><P>So to achieve above requirement&nbsp; , I have created custom url category as *.ncra.tifr.res.in and created rule as below.</P><P>&nbsp;</P><P>Policy :--</P><P>&nbsp;</P><P>Source Zone : trust</P><P>Source user :- abc</P><P>Destination Zone :- Untrust(internet)</P><P>Destination :-&nbsp; any</P><P>Port : 22</P><P>url category :- *.&nbsp;ncra.tifr.res.in</P><P>Application: SSH</P><P>Profile :- None</P><P>Action :- Allow</P><P>&nbsp;</P><P>However it is not working.</P><P>Note :- Customer&nbsp; dont have fqdn he provided *.ncra.tifr.res.in</P><P>&nbsp;</P><P>So I wanted to know that&nbsp; *.ncra.tifr.res.in custom category not work for application other than web browsing and ssl?</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks</P><P>Dhananjay</P> Fri, 30 Jul 2021 13:13:16 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/423405#M94158 DhananjayBhakte 2021-07-30T13:13:16Z https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/423542#M94183 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/129413">@DhananjayBhakte</a>&nbsp;</P><P>Custom URL categories only work for http and TLS traffic - not only for apps web-browsing and ssl as there are quite a few more that are based on http/tls traffic - but at least for ssh you cannot use a custom URL category.&nbsp;</P> Fri, 30 Jul 2021 19:33:45 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/423542#M94183 Remo 2021-07-30T19:33:45Z https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/423714#M94203 <P>Thanks Cyber Elite I Got it now......... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P> Mon, 02 Aug 2021 03:48:53 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/423714#M94203 DhananjayBhakte 2021-08-02T03:48:53Z https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/1243710#M125681 <P>so, what is the solution to define a policy for wildcard domain not fqdn on ports other than https?</P> <P>&nbsp;</P> <P>something like this:</P> <P>-----------------------------</P> <P>Source Zone : trust</P> <P>Source user :- abc</P> <P>Destination Zone :- Untrust(internet)</P> <P>Destination :-&nbsp; *.&nbsp;ncra.tifr.res.in</P> <P>Port : 389,636</P> <P>Profile :- None</P> <P>Action :- Allow</P> Thu, 11 Dec 2025 12:39:22 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/m-p/1243710#M125681 S.Kaleem 2025-12-11T12:39:22Z