Adding filter "?v=panosurl" broken access to all websites

Reply
L2 Linker

Re: Adding filter "?v=panosurl" broken access to all websites

Hi Luigi,

 

Did you get everything you need to reproduce the error? Let me know and I can provide you with my config. Thanks

L7 Applicator

Re: Adding filter "?v=panosurl" broken access to all websites

Hi @craigomatic,

I haven't received the email with indicator list, could you please send it again please?

 

Luigi

L2 Linker

Re: Adding filter "?v=panosurl" broken access to all websites

OK I sent it ... please let me know if you do NOT receive. There are four attachments but they are small txt files.

L7 Applicator

Re: Adding filter "?v=panosurl" broken access to all websites

Hi @craigomatic,

sorry, but I didn't receive it again. Are you on the community slack channel? Or could you send me an email without attachments first?

L7 Applicator

Re: Adding filter "?v=panosurl" broken access to all websites

Hi @craigomatic,

just tested it and I can't replicate so far. Please could you tell me:

  • PAN-OS release
  • How the policy looks like (app/service/URL Category or URL Filtering profile?)

 

Thanks!

Luigi

L2 Linker

Re: Adding filter "?v=panosurl" broken access to all websites

Luigi,

 

 

PANOS release 8.1.4.

 

set device-group ACME  external-list edl-phishing-sites type url recurring hourly
set device-group ACME   external-list edl-phishing-sites type url certificate-profile minemeld_cert_profile
set device-group ACME   external-list edl-phishing-sites type url url https://10.X.X.X/feeds/phishing-url

 

Issue can be replicated by changing the last line:

 

set device-group ACME  external-list edl-phishing-sites type url recurring hourly
set device-group ACME   external-list edl-phishing-sites type url certificate-profile minemeld_cert_profile
set device-group ACME   external-list edl-phishing-sites type url url https://10.X.X.X/feeds/phishing-url?v=panosurl

 

Then most/any url categories will be defined as edl-phishing-sites. I saw google.com, bing.com, yahoo.com being classified as such.

 

Here's the URL filtering profile, which includes the edl:

 

set device-group ACME profiles url-filtering ACME-PAN-URL-Policy credential-enforcement block [ abortion abused-drugs adult alcohol-and-tobacco auctions command-and-control copyright-infringement dynamic-dns extremism gambling games hacking home-and-garden hunting-and-fishing internet-communications-and-telephony malware nudity parked peer-to-peer phishing proxy-avoidance-and-anonymizers questionable weapons web-advertisements edl-phishing-sites shortened-urls ]

 

Here's a policy we were using specifically to block matching category:

 

craigomatic@PNRM01# show | match openphish-alert
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert target negate no
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert to untrust
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert from [  trust ]
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert source any
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert destination any
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert source-user any
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert category edl-phishing-sites
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert application [ ssl web-browsing ]
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert service application-default
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert hip-profiles any
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert action drop
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert log-setting lf-pnrm-siem
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert disabled no
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert tag

Let me know if you need more info. I was able to reproduce this on my lab PA-220. I can ship you that config if that would be helpful.

 

L2 Linker

Re: Adding filter "?v=panosurl" broken access to all websites

Luigi,

 

Just tried in 8.1.5 and was unable to reproduce error in my testing environment.  I will roll out to production cautiously and will update ...

L7 Applicator

Re: Adding filter "?v=panosurl" broken access to all websites

Hi @craigomatic,

thanks, please let me know the outcome of your tests.

L7 Applicator

Re: Adding filter "?v=panosurl" broken access to all websites

Hi @lmori 

 

Were you able to solve this issue? It is definately an issue in minemeld. After adding this parameter, for some reason "*.com" was on the output ...

Highlighted
L7 Applicator

Re: Adding filter "?v=panosurl" broken access to all websites

Currently the reason for this issue is a bug of minemeld that handles special entries the wrong way. I wrote the more detailled description here:  https://live.paloaltonetworks.com/t5/General-Topics/Adding-v-panosurl-to-MineMeld-EDL-brought-down-o...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!