URL Category in Security Policy only for http?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

URL Category in Security Policy only for http?

L3 Networker

We unfortunately use a smtp server with fqdn. (cannot use fqdn object for certain reasons)

And we implemented a security policy with the url category in the "Service/URL Category" section of the security policy.

In the security policy, the application allowed is smtp and port allowed is 25.

When we test, the connection does not match this rule at all. We are making sure that indeed the application tirggered is smtp on port 25.

 

So is URL Category in Security Policy only applied when the application is web-browsing/ssl and port is 80/443 ?

 

BR,

RJ

 

 

5 REPLIES 5

Community Team Member

Hi @rjdahav163 ,

 

Any application with a dependency on web-browsing.

 

Cheers !

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @kiwi 

 

Thanks for the quick reply! But then how to solve the issue:

We want to allow smtp on port 25 only as application and destination is a url category, attached in "service/url category" of a security policy. (We are not using fqdn object because the refresh time can be minimum only 10 minutes and the server changes the ip more frequently)

 

So any suggestions?

 

BR,

RJ

 

 

to answer your first question "So is URL Category in Security Policy only applied when the application is web-browsing/ssl and port is 80/443 ?" i believe the answer is no.  the url category can match on any port or application.

 

as for a possible solution to the problem;  have you tried using a seperate security profile with a custom url-filtering profile that allows the category?

 

 

 

If you cannot use the fqdn, I would create an address group with all the possible IP's the fqdn resolves to and use that as the destination.

(If it changes so rapidly, I presume it's for load balancing and the number of IP's will be limited...)

L7 Applicator

@kiwi wrote:

Hi @rjdahav163 ,

 

Any application with a dependency on web-browsing.

 

Cheers !

-Kiwi.

 

May I add that you can use URL categories not only for web-browsing dependent applications. Actually also for almost every TLS encrypted connection like SMTPs. So if your connection is encrypted the solution with an URL category probably works as the firewalls also checks for hostnames in the SNI extension and also the CN of a certificate in a TLS connection.

  • 5244 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!