Does anybody has experience with migration to PAN-OS 9 regarding URL filtering changes?
Today with PAN-OS 8.1
Url-Filtering Profile 1 with Override Allow list: Url 1, Url 2, Url 3
Url-Filtering Profile 2 with Override Allow list: Url 2, Url 3, Url 4
Url-Filtering Profile 3 with Override Allow list: Url 3, Url 4, Url 5
During migration to PAN-OS 9 (in which the Override Allow List was removed), I understand that for each Override Allow List, a separate Custom Url Category is created:
Custom Url Category 1:Url 1, Url 2, Url 3
Custom Url Category 2:Url 2, Url 3, Url 4
Custom Url Category 3:Url 3, Url 4, Url 5
which then are assigned to the respective Url Filtering Profile
Url-Filtering Profile 1: Custom Url Category 1 => Allow
Url-Filtering Profile 2: Custom Url Category 2 => Allow
Url-Filtering Profile 3: Custom Url Category 3 => Allow
How is the behaviour of the firewall now if the same Url, e.g. Url 3, belongs to multiple Custom Url Categories? Which one will match?
Here https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzSCAS it says it can cause unpredictable results.
Here https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC it says it will result in the most severe action.
Solved! Go to Solution.
The most severe action will be taken, as one would expect. The first KB article that you mentioned either is poor at actually writing Regex or is unaware of how the matching multiple different categories is actually processed; I've never ran into "unpredictable" results due to multiple matching categories as long as the custom actually understands the actions they have set.
thanks for your reply. Perhaps I better convert the Override lists to Custom Url categories before update to PAN-OS 9 ?
The automatic conversion should work perfectly fine, but if you convert it ahead of time you don't really have to worry about it when you actually perform the upgrade.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!