Custom URL Issue

Reply
Highlighted
L4 Transporter

Custom URL Issue

Hi all,

 

I had an issue where a client created a Custom URL category with multiple of URLs and added it in a Security Rule, all of the URLs specified in that custom category is matching except one URL with wild card such as *.sometechnologies.com.

 

I'm using the command >test custom-url url <MyURL> to check the match but for only one url wild card is not working and the output of the command will be 'any' instead of the custom url category name 'test'.

 

The client is running PANOS 7.1.5 so I made my lab with the same setup and tried the same url and it was matching 'test'.

 

The only difference between my client setup and my setup is I've having the URL filtering license which is not even required in case of custom url category.

 

Have anyone experienced the same?

 

Regards,

Sharief

 

 

Regards,
Sharief
L7 Applicator

Re: Custom URL Issue

If Custom URL is *.sometechnologies.com then you have to be sure that user goes to www.sometechnologies.com or ftp.sometechnologies.com or similar site. Something has to be in the front.

 

If user tries to go to sometechnologies.com then *.sometechnologies.com does not match.

 

So you usually put 2 entries into custom category

sometechnologies.com

*.sometechnologies.com

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L4 Transporter

Re: Custom URL Issue

Hi @Raido,

 

Its a server that always connecting to a23-0-91-101.deploy.static.akamaitechnologies.com where in the Custom URL category i've made it *.akamaitechnologies.com but it still doesn't work. Please note that the exact same url speficied above is working in my lab, it must be something with the client environment.

 

Is a PANOS upgrade could solve this?

Regards,
Sharief
L7 Applicator

Re: Custom URL Issue

Ok in your lab do following test to be sure this website fully matches your category and does not pull anything down from other addresses.

 

Create Custom URL Category and put *.akamaitechnologies.com into it (you probably have it in place already).

Create top rule that permits traffic from your test pc to internet. Under "Service/URL Category" tab choose your custom URL category and permit this traffic.

Create second rule that blocks all traffic to internet from your test pc.

 

Can you still go to this site?

Be sure to use other browser or clear cache just in case.

 

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L4 Transporter

Re: Custom URL Issue

Hi @Raido,

 

Yes its working. I just wanted to say that by running command >test custom-url url <MYURL> it won't give you result unless you attach the Custom-URL category into the Security Rule. So the security rule was there from the beginning and I just created the deny rule.

 

If I tried the same with the client the command output will match 'any' not the custom-url I've created.

 

Regards,

Sharief

 

Regards,
Sharief
L4 Transporter

Re: Custom URL Issue

Anyone have more ideas here?

Regards,
Sharief
L2 Linker

Re: Custom URL Issue

I have the same issue running PAN OS 7.1.4. Using *.sharefile.com in a custom category but it still categorizes it as online-personal-storage in the URL filter logs, which we block. The actual URI they are visiting is warrenaverett.sharefile.com but then directs to any number of other sub domains like storage-ec2-484.sharefile.com. When I run the test custom-url url <MyURL> command it returns "No custom category matched".

L4 Transporter

Re: Custom URL Issue

If the exception is No custom category matched then you may need to add it to security rule and keep it on top just in case. If that is already done make sure you don't have any duplicated URL in other custom URL category.

 

Regards,

Sharief

Regards,
Sharief
L0 Member

Re: Custom URL Issue

Having a similar issue with Custom URL Category for Akamai site and SSL Decrypt.  Was trying to test earlier, have multiple sites in the URL Category and added to a rule to exempt my machine from decryption, but the logs show that the traffic is still being decrypted and the installation that is trying to reach out is failing.  When I switch to a complete no-decrypt, then the traffic is not decrypted and the installation completes.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!