Make sure Command-and-Control is recognized by PAN-DB URL Filtering

Printer Friendly Page

As the following blog shows, a new PAN-DB URL category, command-and-control, will be released.
https://live.paloaltonetworks.com/t5/Community-Blog/Command-and-Control-C2/ba-p/179026

This article introduces the steps to make sure that the command-and-control category is recognized by PAN-DB URL Filtering feature using the 'test url' command.

 

Prerequisite

 

  • PAN-DB URL Filtering is enabled on Palo Alto Networks firewall
  • Content Update 734 or later is installed on the Palo Alto Networks firewall

 After ensuring your firewall meets the prerequisites:

 

Step 1

Log in to your firewall managment WebUI with the administrative account.  The URL is http or https:// the management IP of your firewall.

 

Step 2

Go to Device > Setup > Content-ID and make sure there is no value in PAN-DB Server.  If there is any value in PAN-DB Server, please delete it and commit the change.

 

 

step.JPG

 

Step 3

Log in to your firewall managment CLI with the administrative account.

 

 

Run the following command to verify if the Command-and-Control category is properly recognized by PAN-DB URL Filtering feature.

admin@myNGFW>test url urlfiltering.paloaltonetworks.com/test-command-and-control

urlfiltering.paloaltonetworks.com/test-command-and-control command-and-control (Base db) expires in 1800 seconds
urlfiltering.paloaltonetworks.com/test-command-and-control command-and-control (Cloud db) 

 

Tags (3)
Comments

Hi, everything is configured as you explained, but I still don't see 'command-and-control' under:

 

Object - Security profiles - URL Filtering 

 

My URL filtering version is 5341.

 

thank you for the help

Sagy.

When running this command against my PA-500 I received a slightly different response. Not sure if this means my firewall hasn't applied this new URL filter properly...?

 

I ran:

test url urlfiltering.paloaltonetworks.com/test-command-and-control

 

and the response I get back is:

urlfiltering.paloaltonetworks.com computer-and-internet-security (Cloud db)

 

Does this mean it hasn't applied properly?

 

Furthermore, I found this page when trying to search for instructions on how to set the new category to BLOCK, as alluded to by this support article: https://live.paloaltonetworks.com/t5/Management-Articles/Command-and-Control-C2-FAQ/ta-p/178617

 

I can't find any instructions on how to actually set this to block. I did find this page: https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/content-inspection-feature...

but the instructions aren't clear, and I couldn't even progress through Step three as the instructions also don't seem to match the interface in my PA-500. I'm currently running version 7.x and assume the article was written for version 8.x which must have been significantly revamped.

 

One final note, same as Sagy above, I also don't see this new category under Objects -> Security Profiles -> URL Filtering.

@SShnap please update your applications package, the new category is made awailable through a content update instead of the URL filtering seed file (the seed file simply pushes a list of most popular webistes and their categories)

 

@RichardT the test url command tests an url for its category, so your input was invalid

you can do 'test url www.cnn.com' to find out what cnn is classified as, and you can 'test url www.nastysite.com' to figure out it's classified as suspicious (it kind of works straight forward like ping would return an IP when you ping www.cnn.com)

 

setting the category to block works in exactly the same way as any other category, there is no major revamp in that specific action in 8.0 which leads me to believe you may not have downloaded the appropriate content update yet to actually see the update. please make sure all your dynamic updates have installed properly and you should see the below (save user credential submission) 

 

C2.png

 

Hi what do you mean update the application package.

I'm on the software 7.1.10

application and threats 741-4265

URL filtering 5341

I'm on the latest dynamic updates, can you explain what do you mean? I attched the URL filtering profile menu which is diffrent from what you sent

Thank you.

Sagy

2017-10-12 14_12_06.jpg

 

@SShnap it appears you are using the BrightCloud URL filtering database, which is an external database and does not feature this category unfortunately

that's why when I run the command I receive:

urlfiltering.paloaltonetworks.com computer-and-internet-security (Dynamic db)

 

Does there is any best practice what to use for URL filtering?

Can I change it or it's ok and that feature will be release also for BrightCloud URL in the future?  

For optimal integration it's recommended to have PANDB, but the choice is ultimately yours.

PANDB URL filtering requires a different license than BrightCloud URL filtering, best is to have a chat with your sales contact if you're interested in switching.

The new C2 category is populated with information we gather from different internal (Palo Alto Networks) sources like WildFire. BrightCloud is a third party so they will not have access to the same sources but they may or may not decide to create a similar category, I can't really comment on that

Hello

 

One of my customers has the new signature installed in the FWs but he sais it doesn't appear in his Panorama Server. How can it be enable in Panorama?

 

best regars

@SOC_CSG: you'll need to get the latest content package installed on the panorama