Video Tutorial: Unblocking a URL

by on ‎12-02-2015 07:28 AM - edited on ‎11-10-2016 04:54 AM by (6,712 Views)

 

Hi everyone and welcome to this Palo Alto Networks video tutorial about unblocking a URL.

 

My name is Kim Wens and I'm a Solutions Engineer with Palo Alto Networks community team.  In this video tutorial, I'll explain how you can select a specific category to block, and how to configure and test the blocked URL. Next, I will show you how to add an exception to this, allowing you to visit a URL that's supposedly blocked by category.  Finally, I will show you an alternative way to configure this using a custom URL category.  I will also show you how to apply this custom URL category and how you can check the URL logs.

 

Alright, let's get started!

 

Configuring blocked URLs

 

After you are logged into the firewall GUI, go to the Objects tab, Security Profiles and URL filtering.  This is your default screen.  We won't be using the default URL filtering profile because we are unable to make any changes in the action. So let's click Cancel.

 

Instead, we are going to clone this profile.  So make sure it's selected and click the clone button.

 

We have created a clone URL filtering profile.  Let's edit it and give it a useful name. For the sake of this tutorial, let's block the category 'search-engines.'  As you can see, the current action is 'allow.'  Let's 'block' this.

 

Next we will have to configure this URL filtering profile to a rule. To do this,  go to the Policies tab.

For the sake of this tutorial, I have a very basic ANY, ANY, ALLOW rule.

 

To apply the newly created URL filtering profile, go to your rule and edit the 'Profile' column by clicking it.

Notice the different security profiles you can change.  In our example, we'll be changing the URL filtering profile.  Go to the dropdown menu next to it and select the newly created profile. Then click OK.  

 

Notice the icon has changed, indicating that the security profile is now applied to this rule.

Now we can go ahead and commit this configuration.

 

From this moment on, all URLs inside the search-engines category will be blocked. Let me show you.

 

As you can see, they are categorised as 'search-engines' and are being blocked. You can also verify this on your firewall in the Monitor tab, Logs, URL filtering.  Notice the 2 search engines I just visited in the last 2 logs.

In the log details you'll also see the category 'search-engines' being blocked.

 

Adding an exception to blocked URLs

 

So far, so good!  Now we would like to add an exception. Go back to you URL filtering profile and edit it.  In our example, we would like to allow access to Google but no other search engines.

 

We can edit the 'Allow List.'

Taking into account some redirections, I'm adding some wildcards :

 

*.google.*

 

Click the 'OK' button and commit the change.

 

We should now be able to go to Google.

Let's see if that is working as expected... 

 

Try going to another search engine first to confirm that the search-engines category is still being blocked, which it is!

Now, let's try Google.

 

As you can see, Google is now allowed!

 

Exploring an alternative configuration

 

Note that URLs added to the allow list will not have a log entry in the URL filtering logs. This brings us to the alternative configuration method using a custom URL category.

 

To create one is easy:

 

Go to the Objects tab, Custom Objects, URL Category.  Click 'Add', give it some meaningful name and add the urls you would like to allow.  You can also use wildcards.

 

The custom URL category will now be visible in your URL filtering profile.

 

Because this is an alternative configuration, we will no longer need the allow list, so we can remove it.  We can see that the customer URL category 'AllowedURLS' is listed here. Notice the asterisk, indicating that it is a custom URL category. The default action is 'none.'  Change this to 'alert.'  This will make sure there is a log entry in the URL filtering logs.

 

Now commit this change.

 

Let's see how this behaves.  Go to another search engine first and confirm that the category is still blocked. Then try Google and confirm that the URL is allowed.

 

Going back to your firewall, goto the Monitor tab, Logs, URL Filtering and notice that you will have some hits on the custom URL category that you created earlier with the alert action you have configured.

 

Here are some documents on related subjects you might find useful :

 

How to Configure URL filtering : https://live.paloaltonetworks.com/docs/DOC-9549

PAN-OS Admin Guide 5.0 : https://live.paloaltonetworks.com/docs/DOC-4118

PAN-OS Admin Guide 6.0 : https://live.paloaltonetworks.com/docs/DOC-6603

PAN-OS Admin Guide 6.1 : https://live.paloaltonetworks.com/docs/DOC-8246

PAN-OS Admin Guide 7.0 : https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os.html

Getting Started : Preparing the Firewall : https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Preparing-the-Firewall/ta-p/6...

 

That concludes this video tutorial on Unblocking a URL.  Thanks for watching and feel free to leave comments in the comment section below.

 

See you next time!

 

Kim Wens

Ask Questions Get Answers Join the Live Community
Contributors