Custom URL Issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Custom URL Issue

L4 Transporter

Hi all,

 

I had an issue where a client created a Custom URL category with multiple of URLs and added it in a Security Rule, all of the URLs specified in that custom category is matching except one URL with wild card such as *.sometechnologies.com.

 

I'm using the command >test custom-url url <MyURL> to check the match but for only one url wild card is not working and the output of the command will be 'any' instead of the custom url category name 'test'.

 

The client is running PANOS 7.1.5 so I made my lab with the same setup and tried the same url and it was matching 'test'.

 

The only difference between my client setup and my setup is I've having the URL filtering license which is not even required in case of custom url category.

 

Have anyone experienced the same?

 

Regards,

Sharief

 

 

Regards,
Sharief
10 REPLIES 10

Cyber Elite
Cyber Elite

If Custom URL is *.sometechnologies.com then you have to be sure that user goes to www.sometechnologies.com or ftp.sometechnologies.com or similar site. Something has to be in the front.

 

If user tries to go to sometechnologies.com then *.sometechnologies.com does not match.

 

So you usually put 2 entries into custom category

sometechnologies.com

*.sometechnologies.com

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi @Raido_Rattameister,

 

Its a server that always connecting to a23-0-91-101.deploy.static.akamaitechnologies.com where in the Custom URL category i've made it *.akamaitechnologies.com but it still doesn't work. Please note that the exact same url speficied above is working in my lab, it must be something with the client environment.

 

Is a PANOS upgrade could solve this?

Regards,
Sharief

Ok in your lab do following test to be sure this website fully matches your category and does not pull anything down from other addresses.

 

Create Custom URL Category and put *.akamaitechnologies.com into it (you probably have it in place already).

Create top rule that permits traffic from your test pc to internet. Under "Service/URL Category" tab choose your custom URL category and permit this traffic.

Create second rule that blocks all traffic to internet from your test pc.

 

Can you still go to this site?

Be sure to use other browser or clear cache just in case.

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi @Raido_Rattameister,

 

Yes its working. I just wanted to say that by running command >test custom-url url <MYURL> it won't give you result unless you attach the Custom-URL category into the Security Rule. So the security rule was there from the beginning and I just created the deny rule.

 

If I tried the same with the client the command output will match 'any' not the custom-url I've created.

 

Regards,

Sharief

 

Regards,
Sharief

Anyone have more ideas here?

Regards,
Sharief

L2 Linker

I have the same issue running PAN OS 7.1.4. Using *.sharefile.com in a custom category but it still categorizes it as online-personal-storage in the URL filter logs, which we block. The actual URI they are visiting is warrenaverett.sharefile.com but then directs to any number of other sub domains like storage-ec2-484.sharefile.com. When I run the test custom-url url <MyURL> command it returns "No custom category matched".

If the exception is No custom category matched then you may need to add it to security rule and keep it on top just in case. If that is already done make sure you don't have any duplicated URL in other custom URL category.

 

Regards,

Sharief

Regards,
Sharief

Having a similar issue with Custom URL Category for Akamai site and SSL Decrypt.  Was trying to test earlier, have multiple sites in the URL Category and added to a rule to exempt my machine from decryption, but the logs show that the traffic is still being decrypted and the installation that is trying to reach out is failing.  When I switch to a complete no-decrypt, then the traffic is not decrypted and the installation completes.

L2 Linker

I'm having the same issue, Do we have the resolution yet for this? @MohamedSharief 

L0 Member

@MohamedSharief wrote:

Hi all,

 

I had an issue where a client created a Custom URL category with multiple of URLs and added it in a Security Rule, all of the URLs specified in that custom category is matching except one URL with wild card such as *.sometechnologies.com.

 

I'm using the command >test custom-url url <MyURL> to check the match but for only one url wild card is not working and the output of the command will be 'any' instead of the custom url category name 'test'.

 

The client is running PANOS 7.1.5 so I made my lab with the same setup and tried the same url and it was matching 'test'.

 

The only difference between my client setup and my setup is I've having the URL filtering license which is not even required in case of custom url category.

 

Have anyone experienced the same?

 

Regards,

Sharief

 

 


Create Custom URL Category and put *.akamaitechnologies.com into it (you probably have it in place already).

Create top rule that permits traffic from your test pc to internet. Under "Service/URL Category" tab choose your custom URL category and permit this traffic.

  • 6571 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!