URL filtering

okay so I make a url filtering profile for one single web address that we want to block and then create a security policy with that profile in it.  

So if I can do this what does the url filtering subscription get you, we currently do no have it

@BPry - forgot to tag you

okay so I make a url filtering profile for one single web address that we want to block and then create a security policy with that profile in it.  

So if I can do this what does the url filtering subscription get you, we currently do no have it

If you only want to log the accessed url's, allow only specific url's for example to a dmz server or as in your case you only need to block one (ore more) specific address(es) --> ther is no need for the url subscription

With the url subscription you can apply actions based on url categories. Here a few examples:

• Block malware, phishing, peer2peer, dyn-dns, unknown
• If your company policy does not allow social media
• Allow downloads on all websites exept risky categories
• With PAN-OS 8: allow your users to enter credentials on benign websites but not on unknown
• ...

The list with possibilities is nearly endless 😉

But the main point is, that the subscription is for these categories and this is a point which you definately cannot do by yourself. 

(Of course there are also other possibilities for "url filtering" for example DNS based, but this never gives you the control as you have it with actual http based url filtering)

@Remo

But you know it might get very burdomson to manage if I start trying manually add url's, people may request them to be blocked frequently

With EDLs this task is pretty easy to manage.

And for websites in the wrong category our users simply have to wait until PaloAlto moves them to the right category (this process is at least much faster than with brightcloud) ... there still will be urgent requests but we did not have much of them in the past

@Remo

when you are talking about EDL - External dynamic lists correct you mean ,list like MISP, emerging threat etc

Exactly I meant external dynamic lists ... such a list you can also use for the allow/block request from your users. Simply place it on an internal webserver where you can edit the file easily (with ftps, scp, smb) and a few minutes later (depending on how often you configure the sync) the website is allowed/blocked ondm your or (this is an even greater advantage) on all the firewalls you manage

@Remo

Yes we have two or three of  them and are using them as you and @BPry have suggested but I got a request to create a block for a specific URL that he couldn't find in one of the EDL lists that we have. It is possible of the other lists may have that url is there anyway to check on the PA

@jdprovine,

Sure run the following in the CLI after you have modified it to match what you are looking for;

'request system external-list show type url name name' 

You can then check against your EDLs easy enough. Sadly I don't believe there is a way to '| match' on this request.  

@BPry

Awesome I will check my other EDL lists 

So what do you think about creating a rule/profile for just one URL

@jdprovine,

Depending on why the URL is needing to be blocked then yes. Generally though I would say that you should configure controllable EBLs, one for IP addresses and one for URLs, and then set them to auto-update at a resonable rate. This allows you to quickly deal with any issues like this and you don't really have to worry about them potentially not being on an EBL that you don't control. 

@BPry

We have had those kinds of lists set up for quite awhile but one of my coworker got an alert from bitsight about this URL

With this IP address 195.38.137.100and URL update.newinfoclientstack.com  that is not in any of the EDL list that we currently have set up and asked if I could create a block list for that specific IP address. My first thought is that if I do it once I will start get a lot of requests for individual addresses. So I was looking for away to avoid that