DotW: Unblocking a URL

DotW: Unblocking a URL

30952
Created On 09/25/18 19:05 PM - Last Modified 06/09/23 06:09 AM


Resolution


Grouping websites into a set of categories is now common practice, allowing granular visibility of the URLs users are looking for. Using a set of policies based on these categories, we can control access to specific categories.  

 

For example, you can configure a policy to never allow the 'adult' category.

 

In some cases, however, a URL category can be considered too strict, so an exception is needed to allow the specific URL.

 

This is something user jharlow brought up in a recent discussion.

 

Post-Unblocking_a_URL.png

 

The user in this case blocked the category 'shareware-and-freeware' as illustrated here:

 

Screen Shot 2015-11-16 at 10.52.36.png

 

At the same time however, the user would like to access the site https://ninite.com

 

This URL falls inside the blocked category and is blocked by policy, as you can see:

Screen Shot 2015-11-16 at 10.55.11.png

 

You can test the URL in the CLI to see what the actual category is:

 

> test url ninite.com

ninite.com shareware-and-freeware (Base db)

 

This URL is a secure site using HTTPS. Our community member already mentions the CN (common name) of the certificate.

 

Beginning with PAN-OS 6.0, Palo Alto Networks uses a new method of resolving the URL category.  This new method is not based on the server's certificate CN field, but rather on the SNI (Server Name Indication) value of the SSL ClientHello message:

 

Screen Shot 2015-11-16 at 11.26.26.png

 

 

In order to make an exception, the member added the URL to the 'allow' list, as shown in the example below:

 

Screen Shot 2015-11-16 at 12.25.56.png

 

This will allow the URL even though the category 'shareware-and-freeware' is blocked.

 

For some reason, this didn't do the trick, so further debugging might be needed in this case.

 

As an alternative solution, community member Brandon_Wertz came up with the idea of using a custom URL category. This is also possible, and as it turned out, worked for member jharlow.

 

You can configure a Custom URL category under Objects > Custom Objects > URL Category:

 

Screen Shot 2015-11-16 at 11.42.11.png

 

Note that I named the Custom URL Category 'Custom_allow' in the above example.

 

After creating this Custom URL Category, you will find this 'new' category in your URL Filtering Profile.  Notice the asterisk, indicating that this is a Custom URL Category:

 

Screen Shot 2015-11-16 at 11.44.32.png

 

As Brandon pointed out in his comment, using a custom category might be even better, because it will allow more control. You can set an 'alert' action on your custom category, which will allow you to track it in the URL Filtering Logs:

 

Screen Shot 2015-11-16 at 11.36.48.png

 

 

Follow the discussion in our community here:

Unblocking ninite.com

 

We always welcome comments and questions below in the comments section.

 

Thanks for reading.

 

Kim Wens
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU9CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language