How to use BIOC to block specific domains?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to use BIOC to block specific domains?

L1 Bithead

Dear community,

I would like to block connections to specific domains using BIOC,
but I found that the "Add to restrictions profile" button is missing when right-clicking on a BIOC rule.
Why is there no such button? Alternatively, is there any way to block specific domains using XDR?

2 REPLIES 2

L4 Transporter

Hi @Chilla 

 

Thank you for writing to live community!

 

Based on your above use case where you want to block specific domains using XDR using BIOC and "Add to restrictions profile" . Would like to share by using BIOC/BTP this will block/prevent your browser process action as result of which this rule might kill/crash the browser process which could be risky and you might have to reinstall the application again.

 

In your use case since you want to block specific domains if you are using Palo Alto firewall you may leverage or setup EDL (External Dynamic List) using which you may block the domain and IP. 
Ref: Manage External Dynamic Lists
LC Post

 

However, in case you still want to test using BIOC by adding to restriction profile to block specific domain you may create BIOC like this. Update your domain as required, the one in screenshot is for reference only.

PiyushKohli_0-1690440221009.png

PiyushKohli_1-1690440347104.png

 

Note: This is not recommended, however to see the behavior as shared above, you may test in your test or UAT endpoint before enforcing this to production endpoints.

 

Hope this helps!

Please mark the response as "Accept as Solution" if it answers your query.

L5 Sessionator

Hi @Chilla ,

 

Thank you for writing to live community!

You can refer to the discussion on the same lines which mentions the same: https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/url-blocking/m-p/550103#M4801

 

URL filtering is a Layer 7 mechanism and Cortex operates on Layer 3. For IPs we can suggest using Cortex XDR host firewalls.

For URLs, there is no mechanism as such to block the URL.

The method for BIOC rules is regressive and as BIOC is meant to terminate process events and not network events. However, to create BIOC rules for incoming, outgoing and failed network connections(do not add the raw packets), and then add the domains to the list. Once created, you can add the BIOC to restrictions profiles. 

 

Please note, we work on process instances termination and not network termination. Hence the above mentioned step is regressive as any network connection made using browsers for the URL will kill the browser itself and not just the network connection. As a result, all other browser tabs will also shutdown. As a result, this is can be done for 1 or 2 URLs but not a very recommended action. It is recommended to setup a firewall configuration for URL filtering.

 

Hope this helps!

 

Please mark the response as "Accept as Solution" if it answers your query.

 

 

  • 1400 Views
  • 2 replies
  • 0 Likes
  • 78 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!