Experience with migration to PAN-OS 9 regarding URL filtering changes

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Experience with migration to PAN-OS 9 regarding URL filtering changes

L4 Transporter

Does anybody has experience with migration to PAN-OS 9 regarding URL filtering changes?

 

Today with PAN-OS 8.1

Url-Filtering Profile 1 with Override Allow list: Url 1, Url 2, Url 3

Url-Filtering Profile 2 with Override Allow list: Url 2, Url 3, Url 4

Url-Filtering Profile 3 with Override Allow list: Url 3, Url 4, Url 5

 

During migration to PAN-OS 9 (in which the Override Allow List was removed), I understand that for each Override Allow List, a separate Custom Url Category is created:

 

Custom Url Category 1:Url 1, Url 2, Url 3

Custom Url Category 2:Url 2, Url 3, Url 4

Custom Url Category 3:Url 3, Url 4, Url 5

 

which then are assigned to the respective Url Filtering Profile

 

Url-Filtering Profile 1: Custom Url Category 1 => Allow

Url-Filtering Profile 2: Custom Url Category 2 => Allow

Url-Filtering Profile 3: Custom Url Category 3 => Allow

 

How is the behaviour of the firewall now if the same Url, e.g. Url 3, belongs to multiple Custom Url Categories? Which one will match?

 

Here https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzSCAS it says it can cause unpredictable results.

 

Here https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC it says it will result in the most severe action.

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@Anon1,

The most severe action will be taken, as one would expect. The first KB article that you mentioned either is poor at actually writing Regex or is unaware of how the matching multiple different categories is actually processed; I've never ran into "unpredictable" results due to multiple matching categories as long as the custom actually understands the actions they have set. 

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

@Anon1,

The most severe action will be taken, as one would expect. The first KB article that you mentioned either is poor at actually writing Regex or is unaware of how the matching multiple different categories is actually processed; I've never ran into "unpredictable" results due to multiple matching categories as long as the custom actually understands the actions they have set. 

L4 Transporter

Hello  BPry

thanks for your reply. Perhaps I better convert the Override lists to Custom Url categories before update to PAN-OS 9 ?

@Anon1,

The automatic conversion should work perfectly fine, but if you convert it ahead of time you don't really have to worry about it when you actually perform the upgrade. 

  • 1 accepted solution
  • 5671 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!