Allow only MS Intune and Windows Update - block all internet access

Reply
Highlighted
L1 Bithead

Allow only MS Intune and Windows Update - block all internet access

HI,

 

I am after permitting only MS Intune and Windows Update - block all internet access.

I have followed the custom URL filtering as mentioned in the link below:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRfCAK&refURL=http%3A%2F%...

Created the custom url filter:

kams19_0-1597318380297.png

then created a policy allowing - web-browsing, ssl and ms-update

kams19_1-1597318419497.png

selected correct URL-category::

kams19_3-1597318525650.png

 

Time to Test: destination IP is for portal.manage.microsoft.com and it hits the correct policy

kams19_4-1597318560001.png

but when I try with google.com IP address, that also hits the same policy

kams19_2-1597318485271.png

From the above it seems that google.com will also be allowed?

I dont have an actual host to test the same, hence tested it from the Troubleshooting section of the firewall. 

To me it seems that the firewall is permitting any url being accessed over ssl, and ignoring the URL category.

 

The main reason for using custom URL filter is that I want to use wildcard FQDN.

Can someone suggest why the URL filtering is not taking effect.

 

Thanks.

 

Highlighted
Cyber Elite

Hi @kams19 

With that rule theoreticaĺly every IP will match. Because of that you also configured the custom URL category. So when a host tries to connect to google.com, the tcp handshake will succed, but in the TLS handshake, the firewaĺl will see the hostname and from that point on the connection will no longer match your windows update rule and it will be dropped (except if you have some more rules that could match for that connection). In the policy match test, if you choose also the URL category, then the result will show what you actually expected.

Highlighted
L1 Bithead

HI @vsys_remo, Thanks for your reply, now I understand the logic behind this. I did select the URL category as you mentioned but I am getting this error now:

kams19_0-1597329551231.png

Any idea why this should happen?

Highlighted
Cyber Elite

@kams19 it looks like this is a bug. Only the paloalto url categories work and every custom url category leads to this error. I tested with PAN-OS 10.

Highlighted
L1 Bithead

@vsys_remo 

For CLI, PA has mentioned the workaround as per https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLjeCAG 

But that is assuming multi vsys config. My case is single vsys and single virtual router. There is no option on GUI to select vsys and VR.

 

I believe tomorrow I should have someone on site and I will ask them to connect their laptop to verify this.

Highlighted
Cyber Elite

Hi @kams19 

Thanks for bringing this to my attention. With this I tried again. So if you manually add "vsys1+" in front of the URL category name, the test works and no longer shows an error. I also tested on a firewall with a single vsys - so there is only vsys1.

L1 Bithead

@vsys_remo 

I dont have ssh connection to the firewall at the moment, trying to get my local laptop firewall sorted.

I dont think there is a way this can be done from GUI?

Highlighted
Cyber Elite

What I meant was that you should add "vsys1+" in the GUI. At least in my case it was working in CLI and WebUI.

Highlighted
L1 Bithead

@vsys_remo 

ok got it working on the Troubleshooting section- 

kams19_0-1597339513573.png

will see how the policy is applied in action tomorrow and update

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!