- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-01-2019 02:30 PM
Custom URL category is configured to block phishing URLs collected from Linux MineMeld server through EDL. For some reason adding filter "?v=panosurl" (https://10.9.0.60/feeds/phishing-url?v=panosurl) to retrieve URLs in PAN-OS supported format (malware.com) is creating issue as all the websites are categorized as phishing and blocked. Using without filter ( https://10.9.0.60/feeds/phishing-url) don't work because URLs are retrieved in format (http://malware.com)
Found this live community post for similar issue https://live.paloaltonetworks.com/t5/General-Topics/Adding-v-panosurl-to-MineMeld-EDL-brought-down-o...
What is the solution for this ?
01-14-2019 09:49 AM - edited 01-14-2019 09:52 AM
Luigi,
PANOS release 8.1.4.
set device-group ACME external-list edl-phishing-sites type url recurring hourly
set device-group ACME external-list edl-phishing-sites type url certificate-profile minemeld_cert_profile
set device-group ACME external-list edl-phishing-sites type url url https://10.X.X.X/feeds/phishing-url
Issue can be replicated by changing the last line:
set device-group ACME external-list edl-phishing-sites type url recurring hourly
set device-group ACME external-list edl-phishing-sites type url certificate-profile minemeld_cert_profile
set device-group ACME external-list edl-phishing-sites type url url https://10.X.X.X/feeds/phishing-url?v=panosurl
Then most/any url categories will be defined as edl-phishing-sites. I saw google.com, bing.com, yahoo.com being classified as such.
Here's the URL filtering profile, which includes the edl:
set device-group ACME profiles url-filtering ACME-PAN-URL-Policy credential-enforcement block [ abortion abused-drugs adult alcohol-and-tobacco auctions command-and-control copyright-infringement dynamic-dns extremism gambling games hacking home-and-garden hunting-and-fishing internet-communications-and-telephony malware nudity parked peer-to-peer phishing proxy-avoidance-and-anonymizers questionable weapons web-advertisements edl-phishing-sites shortened-urls ]
Here's a policy we were using specifically to block matching category:
craigomatic@PNRM01# show | match openphish-alert
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert target negate no
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert to untrust
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert from [ trust ]
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert source any
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert destination any
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert source-user any
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert category edl-phishing-sites
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert application [ ssl web-browsing ]
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert service application-default
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert hip-profiles any
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert action drop
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert log-setting lf-pnrm-siem
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert disabled no
set device-group ACME-LOCATIONS pre-rulebase security rules openphish-alert tag
Let me know if you need more info. I was able to reproduce this on my lab PA-220. I can ship you that config if that would be helpful.
01-28-2019 08:42 AM
Luigi,
Just tried in 8.1.5 and was unable to reproduce error in my testing environment. I will roll out to production cautiously and will update ...
02-07-2019 12:11 AM
Hi @craigomatic,
thanks, please let me know the outcome of your tests.
05-12-2019 09:29 AM
Hi @lmori
Were you able to solve this issue? It is definately an issue in minemeld. After adding this parameter, for some reason "*.com" was on the output ...
05-12-2019 04:19 PM
Currently the reason for this issue is a bug of minemeld that handles special entries the wrong way. I wrote the more detailled description here: https://live.paloaltonetworks.com/t5/General-Topics/Adding-v-panosurl-to-MineMeld-EDL-brought-down-o...
07-03-2019 05:56 AM
Hi @Remo,
we improved the behavior of v=panosurl in MineMeld in 0.9.62:
- URLs with ports (http(s)://fqdn:port) are now dropped by default. To keep the URL and strip the port you should add the sp=1 parameter on the URL (https://<minemeld>/feeds/<feed>?v=panosurl&sp=1)
- Invalid URLs like *abc.example.com are dropped if di=1 parameter is specified (https://<minemeld>/feeds/<feed>?v=panosurl&di=1). Otherwise they are rewritten to *.example.com
- If URLs rewritten (with di option not enabled) looks like *.com or *.*.com, they are dropped
For blacklists I would suggest to enable di option.
08-22-2019 08:02 PM
thanks luigi, i'll test in the lab. appreciate the feedback!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!