Differences between URL category and address object?

Reply
L2 Linker

Differences between URL category and address object?

We are doing some testing with a user that is running a client and needs to get out to the internet.

1. We have a policy for testing and added the required FQDN address objects to the destination. This was successful.

2. Next, we removed the address objects from the destination (replaced that with "any") and moved them to be part of an existing URL category group. We then added this URL category group to the testing policy. This has worked for us when testing in the past, but does not work now. 

 

Why would something work when added as an address object but not when it's part of a URL category group? Am I missing something? 

 

Thank you!

 

 

Tags (2)
L4 Transporter

Re: Differences between URL category and address object?

@TLineberry Which L7-Applications are you using in that policy?

Highlighted
L2 Linker

Re: Differences between URL category and address object?

SSL 

L7 Applicator

Re: Differences between URL category and address object?

Hello,

Are you decrypting the traffic? If yes and you are not running version 9.0.x, the nyou will also need to add web-browsing and set the service ports to 443 and 80 for web-browsing. Also check the logs to see why its getting blocked. Could be a new application blocking the traffic.

 

Regards,

L2 Linker

Re: Differences between URL category and address object?

Hi, 

 

We are not decrypting the traffic. Checked the logs and we don't see anything, no other apps, etc. It's very odd! 

 

I just don't know why it would work when using destination address objects but not when using objects in a URL category...

L7 Applicator

Re: Differences between URL category and address object?

Also check the URL logs to see if its blocking on the catagory the URL is in.

L4 Transporter

Re: Differences between URL category and address object?

@TLineberry: That's expected behavior. The system needs to see the URL to match it agains your URL filter.

In TLS, the URL is part of the encrypted payload, if you're lucky and the server hosts multiple websites, it may use TLS-SNI. So you need to decrypt the traffic, to see the URL. When you use a FQDN address object, the palo simply does a dns forward lookup and whitelists the IP - that's independent from any URLs and works e.g. for CIFS traffic, which doesn't use URLs as well.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!