URL Filtering with Any Any

Reply
L3 Networker

URL Filtering with Any Any

Hello all,

 

We are preparing a firewall in which the first security rule has to be :

Source and Destination: ANY

From TRUST Zone to INTERNET Zone. 

Application and Service: Any

And then there is a URL Filtering profile attached to the rule.

 

So will this rule match all the traffic coming from TRUST Zone to INTERNET Zone. Or when URL Filtering profile is there, then only HTTP /HTTPS traffic is matched ???

 

BR,

RJ

L6 Presenter

Re: URL Filtering with Any Any


@rjdahav163 wrote:

Hello all,

 

We are preparing a firewall in which the first security rule has to be :

Source and Destination: ANY

From TRUST Zone to INTERNET Zone. 

Application and Service: Any

And then there is a URL Filtering profile attached to the rule.

 

So will this rule match all the traffic coming from TRUST Zone to INTERNET Zone. Or when URL Filtering profile is there, then only HTTP /HTTPS traffic is matched ???

 

BR,

RJ


This will allow ALL traffic out to the Internet over ANY port/protocol AND will also apply URL filtering.  (It's going to be an either or.  Either condition will be matched where applicable)  (I'm 98% certain on this)

 

If you're wanting to restrict traffic to "web based" traffic you're either going to want to add a "service" or application restriction to your policy.  

L3 Networker

Re: URL Filtering with Any Any

@Brandon_Wertz @BPry

 

Ok. But then it means that if I initiate lets say a SSH session to internet, URL Filtering will be applied to that too?

 

Thanks

L6 Presenter

Re: URL Filtering with Any Any


@rjdahav163 wrote:

@Brandon_Wertz @BPry

 

Ok. But then it means that if I initiate lets say a SSH session to internet, URL Filtering will be applied to that too?

 

Thanks


 

No...Since SSH isn't "web-browsing" web-filtering policy will not be applied and SSH (22/tcp) to anything on the Internet will be allowed. 

 

Again, it's my understanding it's an either/or scenario, but I'd confirm this with TAC as I've never built such an open policy and don't know the true implication.

L7 Applicator

Re: URL Filtering with Any Any

Hi @rjdahav163

 

It is how @Brandon_Wertz already wrote. Such a policy will allow everything and not only web-browsing connections where URL filtering can be applied.

Th firewall will process the traffic until an application is identified and at that point the firewall already checks if a security profile (including URL filtering profile) is specified. If yes, the firewall prepares the content processor for this session. Then - as you have specified a security profile - the content processor will do a protocol decoding/parsing and content matching but as URL filtering is only applicable to http and TLS sessions everything else will be simply allowed as there is nothing to apply the security profile action.

The full packet processing you can see here: http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309 and a description with a lot more details is here:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0

 

So it dependsnon your spcific use case but in general I do not recommend such a policy.

 

Regsrds,

Remo 

L4 Transporter

Re: URL Filtering with Any Any

@Brandon_Wertz--When you say either/or  Can you clarify?   Do you mean ---Either the "src ip/dst ip and application"   OR  the src ip/dst ip/application AND url category"  (if it's web based application)

L6 Presenter

Re: URL Filtering with Any Any


@Sec101 wrote:

@Brandon_Wertz--When you say either/or  Can you clarify?   Do you mean ---Either the "src ip/dst ip and application"   OR  the src ip/dst ip/application AND url category"  (if it's web based application)


 

 

Either / Or -- meaning the policy will allow web content filtering (WCF) OR non-WCF type traffic depending how the traffic traversing the firewall.

 

It seems like you were trying to create a WCF rule thinking since you "applied" a URL profile that's all the FW would do, but that's not the case.  Since you didn't specify an application type or a UDP/TCP port the firewall will allow pretty much anything via that rule.

L4 Transporter

Re: URL Filtering with Any Any

Brandon- I believe your 100% correct in stating it is either/or.

What is considered WCF traffic?  - Application based SSL/Web-browsing, or is it based upon "technology" or port? 

L7 Applicator

Re: URL Filtering with Any Any

WCF = Web content filtering --> traffic where URL filtering profiles can be applied

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!