https://live.paloaltonetworks.com/t5/general-topics/help-with-using-url-category-as-part-of-a-rule/m-p/431192#M95066 <P>I'm trying to change my rules for allowing outgoing SFTP connections from using IP's to using URL's as more and more vendors are going to AWS and such and locking into an IP address doesn't work.&nbsp; I cloned my current working rule which says server x.x.x.10 can connect to IP's z.z.z.1, z.z.z.2, etc using the applications SSH and enhanced file transfer. I then got rid of the destination IP's setting it to "Any" and added URL Category "SFTP Safe" under "Service/URL Category".&nbsp; I made sure the URL's I needed to connect to were listed in the "SFTP Safe" URL Category. Committed and when I test it passes right through that rule and hits my "Deny All" rule at the end. Yet if I adjust that same rule from "Allow" to "Deny" and run the test again it is still denied but when I look at the monitor it shows it is now denied by the new rule as I would expect.&nbsp; To test additionally I set up a rule the denied web traffic to my URL Category "test", set it at the top of the rules and added cnn.com to that url category. Bang it worked, but when I set the rule to allow it will work but when I check the monitor it shows my standard outgoing web traffic rule way down the stack is allowing it. Why does URL Filtering in a Policy only seem to work for a Deny?</P> Thu, 02 Sep 2021 19:56:01 GMT Walt 2021-09-02T19:56:01Z https://live.paloaltonetworks.com/t5/general-topics/help-with-using-url-category-as-part-of-a-rule/m-p/431192#M95066 <P>I'm trying to change my rules for allowing outgoing SFTP connections from using IP's to using URL's as more and more vendors are going to AWS and such and locking into an IP address doesn't work.&nbsp; I cloned my current working rule which says server x.x.x.10 can connect to IP's z.z.z.1, z.z.z.2, etc using the applications SSH and enhanced file transfer. I then got rid of the destination IP's setting it to "Any" and added URL Category "SFTP Safe" under "Service/URL Category".&nbsp; I made sure the URL's I needed to connect to were listed in the "SFTP Safe" URL Category. Committed and when I test it passes right through that rule and hits my "Deny All" rule at the end. Yet if I adjust that same rule from "Allow" to "Deny" and run the test again it is still denied but when I look at the monitor it shows it is now denied by the new rule as I would expect.&nbsp; To test additionally I set up a rule the denied web traffic to my URL Category "test", set it at the top of the rules and added cnn.com to that url category. Bang it worked, but when I set the rule to allow it will work but when I check the monitor it shows my standard outgoing web traffic rule way down the stack is allowing it. Why does URL Filtering in a Policy only seem to work for a Deny?</P> Thu, 02 Sep 2021 19:56:01 GMT https://live.paloaltonetworks.com/t5/general-topics/help-with-using-url-category-as-part-of-a-rule/m-p/431192#M95066 Walt 2021-09-02T19:56:01Z https://live.paloaltonetworks.com/t5/general-topics/help-with-using-url-category-as-part-of-a-rule/m-p/431546#M95099 <P>Hello,</P><P>Are they URL's or just DNS names. Could you use DNS names as the destination address and SFTP as the application? I would try this way and make sure to put this policy above your general policy to make sure it gets hit. Watch the traffic logs and they will tell you were/if the traffic is getting blocked/denied on your side.</P><P>Regards,</P> Fri, 03 Sep 2021 21:14:31 GMT https://live.paloaltonetworks.com/t5/general-topics/help-with-using-url-category-as-part-of-a-rule/m-p/431546#M95099 OtakarKlier 2021-09-03T21:14:31Z https://live.paloaltonetworks.com/t5/general-topics/help-with-using-url-category-as-part-of-a-rule/m-p/431586#M95106 <P>I can't find a PANW doc, but there are a few community posts which state that URL categories in the security policy only work with HTTP and HTTPS.&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/td-p/350774" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/general-topics/custom-url-category-with-non-http-and-https-port/td-p/350774</A></P><P><A href="https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-wildcard-destinations-and-non-http-https/td-p/284726" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/general-topics/security-policy-using-wildcard-destinations-and-non-http-https/td-p/284726</A></P><P>So, I think the issues stem from trying to apply URL filtering to SFTP.&nbsp; SFTP is not FTP over TLS.&nbsp; So, there will be no URL in the packet.</P><P>&nbsp;</P><P>On a related issue, "<SPAN><SPAN class="richTextArea slds-text-longform tile__title red-txt">On Palo Alto Networks devices, PAN-DB URL Filtering is applied on 2 major protocols: HTTP and HTTPS (SSL).</SPAN></SPAN>" <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRZCA0" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRZCA0</A></P><P>At least that doc specifically states the required apps.&nbsp; However, it is URL filtering in security profiles, not URL categories in the security policy.</P><P>&nbsp;</P><P>You could try an address group of FQDN objects.&nbsp; I think that is what <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a> meant.&nbsp; Those will get resolved to IP addresses, but it should work.</P><P>&nbsp;</P> Sat, 04 Sep 2021 03:53:10 GMT https://live.paloaltonetworks.com/t5/general-topics/help-with-using-url-category-as-part-of-a-rule/m-p/431586#M95106 TomYoung 2021-09-04T03:53:10Z