New Advanced URL Filtering Category: Scanning Activity

There is conflicting information being provide by Palo Alto here. This article states URLs will be added to the new category in Oct however the 'Palo Alto Networks Content Update' emails states November.

Which is it ?

your links is dead ?

http://urlfiltering.paloaltonetworks.com/test-scanning-activity

Hi ElliotM, thanks for bringing it to our attention. Correct date is Oct 11th. We are correcting the content RN.

When will the “Scanning Activity” category be available?

The “Scanning Activity” category will be visible on the administrator management console after you install the content release scheduled for July 11, 2023 (or a later version). However we will not begin publishing URLs to this new category until October 11, 2023. 
####################

Do you know when this will be available.
I want to set action as block but it is currently not available as I check the update on July 11

It will be included with today's content release by the EOD. 

Thanks for the update sir.

Thanks. 
I was able to see 'scanning-activity' is available by EOD GMTime on July 11, 2023.

How does this new category "Scanning-activity" compare to the threat category and type SCAN?

Customer is asking for a SOP document in order to make changes in their Custom URL filtering profile for the Artificial intelligence and scanning activity categories. We want to implement these actions.

ACTION: Your action is required. By default, we set the “Scanning Activity” category to “Block” mode for the default profile only. If you have multiple URL Filtering profiles, we recommend that you change the default action to “Block” for this category in each of your profiles.

ACTION: Action will be required. The “Artificial Intelligence” category action is set to “Alert” only for the default profile. If you have multiple URL Filtering security profiles, it is recommended you change the default action to “Alert” for each of these profiles for better visibility and control.

I hope this will not impact on tenable traffic?

In our interface. we don't even see anything that says "Advanced URL Filtering". We have an active Advanced URL Filtering subscription, on PanOS 9.1.14-h4  

I was able to find a "scanning-activity" under Objects > Security Profiles >  URL Filtering > [clicking on a filter] > Categories > Scroll down to "Pre-Defined Categories"

Hope this is the correct location to set the block before we get the big zap in the sky...

That is correct. It is found in "Pre-Defined Categories"

Are there any URLs from this category that can be tested after making it to block?

Does anyone have any information on how to test for this change or could it cause any problems?

As far as I can tell, the only test to verify that the blocked URL categories are working is going to the page Palo ALto setup and marked as "scanning-activity":

http://urlfiltering.paloaltonetworks.com/test-scanning-activity

Why does it say "TBD" on content update emails, but the verbiage in this article hasn't changed, and the Oct. 11th scheduled date for release remains the same?

That's very confusing for a new URL category that we're recommending block actions and potential production risk for. Can we clarify this quickly please? 

I echo the request for urgent clarification

Many end user organisations will have internal security scanning systems. There is also no information on the signature or proflle of the traffic that wil be matched. I tthink PAN should provide this detail to re-assure customers that internal network monitoring systems that may ping/snmp ranges of IP addresses will not be falsely detected.

This documents states:

Note: While URL filtering typically does not see inbound traffic, our detection technology can identify scanning activities regardless of the traffic direction. Therefore, if the source IP address does not belong to your network, check if the URL filtering profile is assigned to the inbound interface.

Please advise ASAP where 'assignment to an interface' is set and how to check this. It is not at all obvious.

KR,

Lee

Couple questions because the above information is not clear:

1. Exactly "what" type of Outbound Traffic will this new URL Category detect?

1a. Internet Outbound URLs of attempts to "phone home" from an infected machine?

1b. Will this impact Internal Network Scanners connecting back to their Cloud? Like Tenable On-Premise Servers getting updates?

2. Exactly "what" type of Inbound Traffic will this new URL Category Detect? We were previously told by Palo Support that URL Filtering only applies to Outbound Traffic which conflicts with the statement below from the article.

2a. If this applies to Internet Inbound Traffic, are you recommending that a URL Category now be assigned to Internet Inbound Policies?

Note: While URL filtering typically does not see inbound traffic, our detection technology can identify scanning activities regardless of the traffic direction. Therefore, if the source IP address does not belong to your network, check if the URL filtering profile is assigned to the inbound interface.

The test link only works for port 80 (http) traffic and not for 443 (https) is this expected behavior ?

The test link is not blocked for us because the full path is not showing within the logs, only the main site which we use for recategorization and that is allowed as computer/internet. Is there any other test url's we can use? Any list of url's they added yet? 

Hi @Ridwaan ,

This means you are not appling SSL decryption for this traffic. In that case it is expected to work only with plain-text HTTP.

Hey @ErinWest ,

It looks like you also don't decrypt this traffic. Without SSL decryption firewall is not capable of inspecting the full URL path, because thi is part of the HTTP headers that are exchanges after SSL encryption is negotiated.

When traffic is SSL encrypted firewall will have visibility up to the SSL/TLS negotiation where the SNI (server name indicator) is indicating which hostname the client is trying to reach.

So we set up for decryption on this category and it is still not blocked. And yes other categories do get our block page so we know that decryption is working. 

@ErinWest,

If you're not getting the entire URL included in your log message really the only possible way for that to happen is that you aren't decrypting the traffic. There's a couple of potential reasons that this could be happening if you intend to decrypt this traffic, but the end of it is really the same, the traffic isn't being decrypted. You can verify this via your logs by adding the decrypted column.

It's possible that you have urlfiltering.paloaltonetworks.com in a custom category that is overriding the scanning-activity categorization and thus allowing the traffic. If you're additionally selective in what you decrypt and utilize explicit categorization for decrypting traffic instead of explicit categorization for excluding the traffic from decryption, it would also explain both behaviors that you're seeing. 

I'd look through your configuration and verify that you aren't accidently overriding that categorization and causing the traffic to both be allowed, and also not be decrypted as you're expecting. 

So the thing is we are decrypting other content categories in the same rule, like hacking sites are blocked etc. We have a case open but they haven't found why this particular one is not being blocked when others are within the same decryption rule. We do not have that PA url on an explicit allow list either. Will just have to sort it out!