https://live.paloaltonetworks.com/t5/general-topics/edl-blocking-url/m-p/429420#M94902 <P>Hi</P><P>Yes, this is related to SSL decryption. The firewall can see HTTPS the connection from client to server and detect the server address via certificate CN or SNI values and these do not yet contain the URI part. A few packets later, when TLS session is set up the GET request will be sent with the URI - and this you'll only be able to see if you do decryption.</P><P>Hope this helps,</P><P>Shai</P> Thu, 26 Aug 2021 12:16:14 GMT ShaiW 2021-08-26T12:16:14Z https://live.paloaltonetworks.com/t5/general-topics/edl-blocking-url/m-p/429387#M94900 <P>We have a feed for ELD in Palo Alto. We realised that we add this URL (<A href="https://unrealengine.com" target="_blank">https://unrealengine.com</A>) this web is been blocked properly, but not "<A href="https://unrealengine.com/en-US/donwload" target="_blank">https://unrealengine.com/en-US/donwload</A>.</P><P>For example, <A href="http://www.unrealengine.com" target="_blank">www.unrealengine.com</A>. The URL part does not block the URI part either, only if you add it as a domain (without the URI part), it blocks effectively.</P><P>&nbsp;</P><P>it could be anything related to https decrypt SSL needed?</P><P>&nbsp;</P> Thu, 26 Aug 2021 10:37:07 GMT https://live.paloaltonetworks.com/t5/general-topics/edl-blocking-url/m-p/429387#M94900 BigPalo 2021-08-26T10:37:07Z https://live.paloaltonetworks.com/t5/general-topics/edl-blocking-url/m-p/429420#M94902 <P>Hi</P><P>Yes, this is related to SSL decryption. The firewall can see HTTPS the connection from client to server and detect the server address via certificate CN or SNI values and these do not yet contain the URI part. A few packets later, when TLS session is set up the GET request will be sent with the URI - and this you'll only be able to see if you do decryption.</P><P>Hope this helps,</P><P>Shai</P> Thu, 26 Aug 2021 12:16:14 GMT https://live.paloaltonetworks.com/t5/general-topics/edl-blocking-url/m-p/429420#M94902 ShaiW 2021-08-26T12:16:14Z https://live.paloaltonetworks.com/t5/general-topics/edl-blocking-url/m-p/429429#M94903 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/85066">@BigPalo</a> ,</P><P>&nbsp;</P><P>What <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/36075">@ShaiW</a>&nbsp; explained is correct, but it is only one part of your problem. I would say the main reason for your issues is how you have defined the URL in the EDL.</P><P>Lets break into to pieces:</P><P>- Your EDL contain only the domain "unrealengine.com", but this way any sub-domain will not match - this is not specific for PAN FWs, this is how domain and sub-domains works. If you want to block/allow URLs for the domain and any sub-domain you need to have two entries - "unrealengine.com" and "*.unrealengine.com"</P><P>- As <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/36075">@ShaiW</a> already explained, if you don't perform SSL decryption firewall actually will never see the full URL. So the URL filtering feature will use the SSL certificate to determine which URL you are trying to reach. And because the SSL contain only the hostname (not the full URL), you can only filter based on domains and sub-domains. So you can still apply URL filtering, but without the complete control of the URI</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 26 Aug 2021 12:55:37 GMT https://live.paloaltonetworks.com/t5/general-topics/edl-blocking-url/m-p/429429#M94903 aleksandar.astardzhiev 2021-08-26T12:55:37Z https://live.paloaltonetworks.com/t5/general-topics/edl-blocking-url/m-p/429485#M94908 <P>To add to some of the URL Filtering wildcard behavior discussed above, please see previous posts like <A href="https://live.paloaltonetworks.com/t5/general-topics/url-wildcard-pattern/td-p/136217" target="_self">this one</A>.&nbsp;</P> Thu, 26 Aug 2021 16:30:16 GMT https://live.paloaltonetworks.com/t5/general-topics/edl-blocking-url/m-p/429485#M94908 LAYER_8 2021-08-26T16:30:16Z