Configuration Articles

Featured Article
Ever wonder how to globally block URLs without having to use a URL filtering policy in the rule?  The problem when using a URL filtering policy is that URL traffic is either blocked or allowed on a single rule. Because of matching on a single rule, none of the URL traffic is scanned by the rest of the security policy.
View full article
‎04-26-2018 08:23 AM
19,496 Views
5 Replies
1 Like
Overview This document describes the steps to install and activate PAN-DB for URL-filtering.   Steps The Management Interface is used to connect to the cloud. Please ensure internet connectivity before you proceed. License the Palo Alto Networks device for PAN-DB and activate the license on the device. Navigate to Device > Licenses Click Retrieve license keys from license server or Activate feature using auth code Download the URL DB initial seed file optimized for a specific region: Navigate to Device > Licenses Click Download under the Palo Alto Networks URL filtering Once downloaded, activate the seed file. This will apply the PAN-DB and initiate a reset of the system. Note: Before clicking Activate, make sure any unsaved changes to the device configuration are committed to avoid losing any pending changes.   As part of the activation process, PAN-OS will also automatically migrate any existing URL filtering profiles to use the PAN-DB categories. This is done with an auto-commit in the background; no device reboot required.  As always, save your configuration before making any changes, and be sure to double check URL filtering profiles after to verify policy.   The following information can be viewed in the system logs: After the download   After the activation   Useful CLI Commands > show system setting url-database > request url-filtering download paloaltonetworks region <region-name> > request url-filtering download status vendor paloaltonetworks > set system setting url-database paloaltonetworks   See Also For a full list of BrightCloud to PAN-DB category mapping, refer to the following document: BrightCloud to PAN-DB Category Mapping How to Migrate URL Database from BrightCloud to PAN-DB on HA Devices   owner: apasupulati
View full article
apasupulati ‎05-08-2017 05:35 AM
33,563 Views
3 Replies
1 Like
This article explains how to serve a URL filtering admin override page over HTTPS to clients when a wildcard certificate issued by a third-party CA is present (without SSL decryptinon). This can't be used for SSL decryption.   Why does this matter? Typically this is useful for clients which access from a Guest WiFi zone and use the URL Admin Override function to browse the internet. When this happens with a self-signed certificate, users will get a certificate error. These instructions resolve the certificate issue, where it's not possible to push certificates, since they wouldn't be part of the domain.   Assumptions: No SSL decryption is configured. If  SSL decryption is configured, that is much easier to configure. A wildcard certificate obtained by a third-party CA is available. For example, *.domain.com. Internal DNS infrastructure is being used and the same is configured as the firewall's resolver under Device > Setup > Services > DNS servers. This is configured so that the firewall can resolve the internal domain. Wildcard certificate is obtained and is already imported into the firewall. It also has been configured into an SSL/TLS service profile. Firewall interfaces are in Layer 3 mode and URL admin override is in Redirect mode. The hosts should be using the internal DNS servers (or the DNS servers which are able to resolve queries for a specific host to the IP of the internal interface of the firewall.)   Steps   First, we need to add a domain to the DNS server so that it is resolved to the firewall's trust interface's IP. In our example, the domain is going to be internal.domain.com and the A record in DNS server should be internal.domain.com and IP should be 10.50.240.72. IP assigned to the Internal interface which will be used during the redirect. After adding the record to the DNS server, try to ping internal.domain.com from internal host and see if it gets resolved to 10.50.240.72. If it does not work, try to use ipconfig/flushdns clear the information. Next, The configure the redirect address as an FQDN, in our case internal.domain.com. Do this by going into Device > Setup > Content-ID > URL Admin Override section. Click Add to add or click the name of the existing override (if any) to edit.  After this is configured for URL Admin Override pages and committed, the firewall will redirect to the internal.domain.com for entering the override password. This should no longer show any certificate warnings.  
View full article
shganesh ‎08-22-2016 06:47 AM
3,932 Views
0 Replies
Steps The custom URL category feature allows the user to create their own lists of URLs that can be selected in any URL filtering profile. This document review the commands to create a Custom-URL category from command line interface, as shown below:   > configure # set profiles custom-url-category Palo_Test description "How to configure Custom URL Category" # set profiles custom-url-category Palo_Test list [ example.com example.com/* *.example.com ] # commit   The example below displays how the scenario will appear on the web interface after doing a commit: the set command will append hosts/fqds/regex to the list, to remove an entry the 'delete' command can be used: # delete profiles custom-url-category Palo_Test list example.com       owner: asharma
View full article
asharma1 ‎06-23-2016 06:29 AM
7,392 Views
2 Replies
Overview Yes, but the only way to use URL filtering profiles without licenses is to create the custom URL categories and manually assign list of URLs into the custom category.   Steps Go to Objects > Custom Objects > URL category. Click 'Add' to create a new profile. Manually enter the list of URLs that needs to be included. - Go to Objects > Security Profiles > URL Filtering. Create a URL filtering profile and browse through the custom category. Marked with an asterisk. Mark an action block. Go to Policies > Security. In the security rule select the URL profile to the one created in above steps. Commit the configuration. The URLs that are listed in the custom category will be blocked per specified action above.   Note: You can not use the default URL categories listed on the device without licenses. You would get "No valid URL filtering license" warnings when you commit.   Alternate Solution :   Instead of creating URL profile:   1.Create a custom object under Objects >> Custom Objects >> URL Category 2. Create an object called  with string or pattern that you would want to block. Ex: "*.example.com" etc. 3. In the security policy call the above-created Category with action "deny". Example: T-U-Url { from L3-Trust; source any; source-region none; to L3-Untrust; destination any; destination-region none; user any; category Example; application/service any/any/any/any; action deny; terminal no; } 4. With this you would not  get the warning message  about"No valid URL filtering license"     
View full article
ppatel ‎04-19-2016 07:42 AM
12,107 Views
3 Replies
1 Like
Overview This document describes how to configure the Palo Alto Networks firewall to block multi-threaded HTTP downloads from the CLI.   Details Run the following CLI commands: >  configure #  set deviceconfig setting ctd skip-block-http-range no #  commit   When skip-block-http-range is set to no , any time the Palo Alto Networks firewall sees an HTTP client request for a file with a range request in the header (for example, when resuming a file download), the firewall intercepts it and mimics a server rejecting the range request feature. This tells the client to start from the beginning of the file. Note: This is global feature to turn on and off and that it's going to disable more than concurrent downloads of same files, but any kind of HTTP resuming operations which can impact legitimate applications.   owner: gcapuno
View full article
gcapuno ‎09-07-2015 04:09 AM
4,221 Views
0 Replies
Issue When wanting to block a list of URL's globally as one of the first rules, an admin cannot or may not want to use a URL Filtering profile because of the following reasons: It prevents other URL filtering in the rest of the policy. There is no way to use FQDN objects for domains like "*.google.com", as the wildcard is not allowed for a FQDN object.   Resolution In order to block a list of URL's globally, create a custom URL category and add URL's to the category and then place that into a rule. Create a Custom URL Category by going to Objects > Custom Objects > URL Category. Click 'Add' on the bottom-left part of the screen, give it a Name and Description(optional), then 'Add' the URL's as needed. Note:  Please remember there is a difference between site.com and *.site.com Add the Custom URL Category into a rule by using the "URL Category" section located in Service/URL Category tab when creating a new rule: By blocking sites with the URL Category, this still allows other URL Filtering Profiles to be applied to later rules.   owner: jdelio
View full article
‎09-03-2015 04:11 AM
7,265 Views
0 Replies
Overview Search engines can be very helpful, but also a major security risk. Employees or students can use Google, Yahoo, or Bing to research ways to bypass firewalls. Risk can be mitigated by using URL filtering to restrict certain words from a search.   Details Wildcards (required for URL filtering) can only precede and follow a special character, for example, */ or /* Most search engines use the same format for their search result The search request is displayed in plain text in the HTTP GET request in the following format "q=proxy+servers&" There is an implicit wildcard at the end of each line in a URL filtering policy (post PAN-OS versions 4.0.8) Other Booleans aside from + and = may need to be accounted for in your 'Custom URL Category' URL filtering determines URL using the HTTP Get request Note: SSL searches require decryption to be enabled. Otherwise, the URL cannot be determined by the Palo Alto Networks firewall.   Steps Create a text file using Notepad. Decide which search strings to filter. PAN-OS 5.0, 6.0 example: */*=proxy */*=bypass+filter */*=myspace */*=facebook */*+proxy */*+bypass+filter */*+myspace */*+facebook Note:  */*+[term] is included in the example, because */*=[term] causes a hit on only the URL filter line if it's the first word in the search string. PAN-OS 4.1 example: *=proxy *=bypass+filter *=myspace *=facebook *+proxy *+bypass+filter *+myspace *+facebook Note: *+[term] is included in the example, because *=[term] will only causes a hit on only the URL filter line if it's the first word in the search string. Save the text file. Go to Objects. Click Custom URL Category. Use the following steps to import your category from the text file: Click Import. Browse to the location of your text file. Click OK. The contents of your text file display line-by-line in the custom URL category. Create an action for your new Custom URL Category in a URL filtering profile. Ensure that the profile is attached to a security policy. Alternatively, you can create a Deny policy that references your custom URL category. Test the configuration.   owner: kgotlob
View full article
kgotlob ‎08-26-2015 07:49 AM
12,728 Views
1 Reply
1 Like
  This document describes how to block multiple subdomains using a wildcard character.   Details Subdomains can be blocked using URL Filtering (which requires a license). To block multiple subdomains:   Add the sites into the Block List of a URL Filtering profile. Examples of entry format:  *.office365.com or  *office365.com.   Note: Alternatively, custom URL categories can be created with the action set to block.      Apply the configured URL Filtering profile to the appropriate security rule.   Multiple sub-domains cannot be blocked using a wildcard symbol in FQDN address objects, as wildcards are not allowed for use in those objects.   owner: ukhapre
View full article
ukhapre ‎08-24-2015 04:14 PM
8,204 Views
0 Replies
Overview URL filtering presents some challenges when blocking a specific HTTPS site and, at the same time, allowing everything else under that site. For example, the requirement is to block " https://public.example.com/extension1/a ", but allow " https://public.example.com/extension1/b ". Using Security Policies and Custom URL Categories will only match the "Issued To" Common Name (CN) on the certificate presented by the site. Note: With the release of PAN-OS 6.0, there is an additional match through the SNI field, which is presented on the SSL Client "Hello message." For further details refer to: Resolving URL Category in Decryption Policy When Multiple URLs are Behind the Same IP. The example screenshot below shows the Common Name value as "*.example.com". A security policy can block "*.example.com", but that will result in blocking the entire site. Since this is not desired result, a URL Filtering Profile needs to be configured. However, the problem with the URL Filtering Profile, is that the firewall needs to look into the session to be able to pick up the full URL. The session is ssl-encrypted, and the firewall cannot inspect it to apply the URL Filtering unless a decryption policy is enabled on the traffic. Decryption should be implemented with care. If not already implemented on the firewall, the goal is to configure the decryption to inspect the desired traffic. In a decryption policy, there is an URL category option. Decryption does not know the specific sub-page on the https site required to block, as it works in the same manner as a Security Policy. The Decryption policy will check the "Issued To CN" on the presented Certificate. If it matches the setting under "URL Category", then it will decrypt the SSL session. This is useful when decrypting traffic only for *.example.com, but applying a URL Filter to block only if a user goes to: public.example.com/extension1/a Note: " https:// " was removed from the above URL. Steps Follow the steps shown below to configure the desired behavior: Go to Objects > Custom Objects > URL Category, add a custom URL category named "Example Blacklist". Add public.example.com/extension1/a as an URL, do not prepend https:// to the URL list. Go to Objects > Custom Objects > URL Category, add a custom URL category named "Wildcard Blacklist". Add *.example.com to the URL list. Go to Objects > Security Profiles > URL Filtering, create an URL Filtering profile named "Blacklisted HTTPS Sites" with "Example Blacklist" Custom URL Category with action *block* (it will be listed on the Block Categories for the URL Filtering profile) Go to Policies > Security, add a security policy for trust to untrust traffic named "Deny HTTPS Sites", leave the action to allow, select Profile Settings > Profile Type and select Profiles. Select URL Filtering "Blacklisted HTTPS Sites". Go to Device > Certificate Management > Certificates, generate two self-signed CA certificates, one named "Palo Alto Decryption Trusted" and one named "Palo Alto Decryption Untrusted". The CN on the certificates can be the firewall's trusted IP for "Palo Alto Decryption Untrusted", and anything else wanted for "Palo Alto Decryption Trusted" (export this certificate and push it to the users using Group Policy). Open "Palo Alto Decryption Trusted" certificate, mark the checkbox for "Forward Trust Certificate". Open "Palo Alto Decryption Untrusted" certificate, mark the checkbox for "Forward Untrust Certificate". Go to Policies > Decryption, add a Decryption Policy named "Decrypt Blacklisted Sites", set source zone trust, destination zone untrust, select URL Category "Wildcard Blacklist", and options Action: Decrypt, Type: SSL Forward Proxy. Commit, https://public.example.com/extension1/a will now be blocked. owner: mivaldi
View full article
mivaldi ‎06-10-2014 05:42 PM
54,595 Views
4 Replies
1 Like
Overview When a user enables bandwidth management on mobile Chrome, the application establishes an SSL tunnel on port 80 to Google servers. Therefore, the requests made by the client cannot be filtered by Palo Alto Networks devices. Resolution In order to overcome this, the administrator can add check.googlezip.net/connect to the block list. With this in place, the mobile browser app will stop using encrypted tunnel and the Palo Alto Networks device will be able to filter the content. To add the URL to block list: Go to Object > Security Profiles > URL Filtering Choose the applicable profile (the one that is used on security rule allowing traffic from mobile devices) and add the URL check.googlezip.net/connect to the Block List owner: rwelgarz
View full article
RafalWeglarz ‎04-19-2014 05:56 AM
5,990 Views
0 Replies
1 Like
On the Palo Alto Networks device, URL logs are generated for the following scenario: A security rule is configured with a URL Filtering profile set to generate URL logs. URL profile action can be set to any action, other than "allow". The security policy should be configured to log at session start or end. owner: mastevenson
View full article
mbutt ‎09-17-2013 01:45 PM
7,041 Views
0 Replies
Block-continue appears in the logs for the first URL that matches a category where the policy requires the user to click the continue button after being presented with the warning page. After the user has clicked continue for a category, the logs for that category will show "continue" for the rest of the requests up until the point where the timeout has been reached. When the timeout is reached, the user will be presented with a new warning page and must click Continue again to proceed. This timeout is configured on the Device > Setup > Content-ID tab. owner: mbutt
View full article
mbutt ‎07-13-2012 11:14 AM
7,962 Views
0 Replies
Issue Is there a way to allow access to specific URLs within a site, while not allowing access to the root or other URLs in that site? For example: Block - news.yahoo.com Allow - news.yahoo.com/world Resolution Create a custom URL category for news.yahoo.com and set the action to block. Put the news.yahoo.com/world in the allow list of a URL filtering profile. owner:  shasnain
View full article
shasnain ‎04-23-2012 08:24 AM
4,502 Views
0 Replies
Issue Dynamic url's keep coming up as not-resolved. Service.brightcloud.com is reachable and updates are being downloaded normally. Resolution Captive Portal was blocking dynamic url: captive portal policy triggered on http, not https (dynamic updates are downloaded over https).  Also, captive portal was capturing DNS resolution queries from management, added no-captive-portal rule for management interface. owner: tpiens
View full article
panagent ‎01-11-2012 10:55 AM
2,685 Views
0 Replies
Steps Download the seed file from the dynamic update section from the support.paloaltonetworks.com site. Use the commands below to import the file and install the seed file on the device: > scp import signed-url-database from username@192.168.100.50:c/1/scp/bcdb_3_660.enc > request url-filtering install signed-database owner: mrajdev
View full article
panagent ‎01-03-2012 05:40 PM
3,815 Views
1 Reply
Steps Download the seed file from the Support Portal: SCP import the file onto the Palo Alto Networks device. > scp import url-database from user1@10.26.0.23:/home/user1/bcdb_3_617 user1@10.26.0.23's password: bcdb_3_617  100%  347MB   4.5MB/s   01:18    uploaded_bc_db_full saved > request url-filtering install database md5 46a156758657b543bf7462ba2f3dca93 major-version 3 minor-version 617 Installing URL database started.  This may take a while! From pan_bc_download.log May 19 14:32:00 Time taken: 35 May 19 14:32:12 URL filtering database was upgraded from version 3615 to version 3617 by the auto-update agent owner: mrajdev
View full article
panagent ‎01-03-2012 05:05 PM
2,587 Views
0 Replies
Ask Questions Get Answers Join the Live Community