URL Category in Security Policy only for http?

Reply
L3 Networker

URL Category in Security Policy only for http?

We unfortunately use a smtp server with fqdn. (cannot use fqdn object for certain reasons)

And we implemented a security policy with the url category in the "Service/URL Category" section of the security policy.

In the security policy, the application allowed is smtp and port allowed is 25.

When we test, the connection does not match this rule at all. We are making sure that indeed the application tirggered is smtp on port 25.

 

So is URL Category in Security Policy only applied when the application is web-browsing/ssl and port is 80/443 ?

 

BR,

RJ

 

 

Community Team Member

Re: URL Category in Security Policy only for http?

Hi @rjdahav163 ,

 

Any application with a dependency on web-browsing.

 

Cheers !

-Kiwi.

 
L3 Networker

Re: URL Category in Security Policy only for http?

Hi @kiwi 

 

Thanks for the quick reply! But then how to solve the issue:

We want to allow smtp on port 25 only as application and destination is a url category, attached in "service/url category" of a security policy. (We are not using fqdn object because the refresh time can be minimum only 10 minutes and the server changes the ip more frequently)

 

So any suggestions?

 

BR,

RJ

 

 

L1 Bithead

Re: URL Category in Security Policy only for http?

to answer your first question "So is URL Category in Security Policy only applied when the application is web-browsing/ssl and port is 80/443 ?" i believe the answer is no.  the url category can match on any port or application.

 

as for a possible solution to the problem;  have you tried using a seperate security profile with a custom url-filtering profile that allows the category?

 

 

 

Highlighted
L1 Bithead

Re: URL Category in Security Policy only for http?

If you cannot use the fqdn, I would create an address group with all the possible IP's the fqdn resolves to and use that as the destination.

(If it changes so rapidly, I presume it's for load balancing and the number of IP's will be limited...)

L7 Applicator

Re: URL Category in Security Policy only for http?


@kiwi wrote:

Hi @rjdahav163 ,

 

Any application with a dependency on web-browsing.

 

Cheers !

-Kiwi.

 

May I add that you can use URL categories not only for web-browsing dependent applications. Actually also for almost every TLS encrypted connection like SMTPs. So if your connection is encrypted the solution with an URL category probably works as the firewalls also checks for hostnames in the SNI extension and also the CN of a certificate in a TLS connection.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!