Can PAN support inbould traffic filtering based on URI?

Highlighted
L0 Member

Can PAN support inbould traffic filtering based on URI?

Environment:

- There is a web server resides on DMZA. Two application URIs: www.url.com/service_1 and www.url.com/service_2, have configured on this web server.

- The DMZA is protected by PAN in vwire mode.

Can PAN fulfill following requirement? If yes, could you please let me know the configuration?

- www.url.com/service_1 can be accessed from the Internet without limitation.

- www.url.com/service_2 can only be accessed from the Internet if the source IP is x.x.x.x

Thanks a lot.

Tags (3)
L5 Sessionator

Re: Can PAN support inbould traffic filtering based on URI?

Hello John,

You can create Custom-Application based on the URI path.

Here is a documentation explaining things.

https://live.paloaltonetworks.com/docs/DOC-2015

-Ameya

L6 Presenter

Re: Can PAN support inbould traffic filtering based on URI?

If im not mistaken you can do this in 3 different ways in a PA device:

1) Setup a custom URL-category which you attach to each rule (rule1 will allow srcip:any to access service1 and rule2 will only allow srcip:x.x.x.x to access service2).

2) Setup a custom APP-ID that will be identified when each service url is being used.

3) Setup a custom IPS signature to trigger if the request doesnt match, and use this custom IPS signature only for the two rules above.

You could of course also combine the methods mentioned above.

The good part with using method 2 above (as example) is that your reports will have these requests as their own line (appid:service1 and appid:service2) - the bad part is that you probably have other files on your webserver which each service will use (lets say background pictures or such using /pics as uri or so) and in those cases you will need to look at several appids to find out for example how much traffic each service uses.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!