Community Blog

Announcements
Customer Notice: Panorama Certificate Expiration on June 16 2017.  Read More >

DotW: URL Categories - match different categories

by on ‎03-20-2017 12:55 PM - last edited 4 weeks ago (234 Views)

This week's Discussion of the Week will be talking about URL categories and what to do in the event that a single URL returns more than 1 URL category.

 

User TRIsec posted the following in the General Topics area:

2017-03-20_mult-url-cat1.png

Here is a link to the discussion, if interested:

URL Categories - match different categories

 

User TRIsec was trying to use URL Categories to block or allow sites, and when it came to a URL that returned multiple categories, the user was unable to determine how to use both of those categories to either block or allow this site. This issue was happening when TRIsec used BrightCloud to determine the URL categories.

 

Ironic enough, the URL that was being asked about was www.paloaltonetworks.com.

I will show you what you need to do to lookup and verify this information so in the event that this happens, you will know exactly what to do if you would like to either block or allow this site.

 

I will start off with the URL in question, which is again www.paloaltonetworks.com.

You can first start with testing the site with either BrightCloud or with PAN-DB. (Depending on what URL Categorization you use with Palo Alto Networks devices.)

 

If you are using BrightCloud, you can go to the following URL to check a URL for its categories:

http://www.brightcloud.com/tools/url-ip-lookup.php

 

BrightCloud would return 2 URL Categories for www.paloaltonetworks.com

  • Computer and Internet Security
  • Business and Economy

Here is a screenshot from BrightCloud showing this:

BrightCloud site showing 2 different URL categories.BrightCloud site showing 2 different URL categories.

 

 

If you are using PAN-DB, you can go to the following URL to check a URL for its categories:

https://urlfiltering.paloaltonetworks.com/testasite

 

PAN-DB shows only 1 URL category - Computer and Internet Info

 

Here is the screenshot showing Palo Alto Networks site showing the URL Category:

Palo Alto Network's test a site showing the URL categoryPalo Alto Network's test a site showing the URL category

So, this only appears to be an issue when using BrightCloud.

 

To continue, if there are more than 1 URL category showing up when testing a site, what else are you to do? 

You actually have 2 options to verify this information on the Palo Alto Networks device. 

 

The first is by using the WEBGUI, and looking inside of the URL Logs. This is found under Monitor > URL Filtering. Inside there we recommend that you look for the traffic in question, and see what the Category is listed as:

Palo Alto Network's test a site showing the URL categoryPalo Alto Network's test a site showing the URL category

The second way you can verify this is by using the CLI with the "test url" command:

 

> test url www.paloaltonetworks.com
www.paloaltonetworks.com computer-and-internet-info (Base db) expires in 93000 seconds

 

The solution to this issue is to notice that even though BrightCloud is showing 2 URL categories, that Palo Alto Networks is only using 1, which is Computer-and-Internet-info.

 

With verifying this information with what the Palo Alto Networks device is showing the URL Category, then you are able to determine what URL Category you need to use to block or allow those sites.

 

I hope this has helped you today.

 

As always, we welcome all feedback and comments below.

 

Thanks for reading,

Stay Secure,

Joe Delio

Ask Questions Get Answers Join the Live Community
Announcements
Customer Notice: Panorama Certificate Expiration on June 16 2017.  Read More >