This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Allow only MS Intune and Windows Update - block all internet access

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Allow only MS Intune and Windows Update - block all internet access

kams19
L1 Bithead

‎08-13-2020 04:41 AM

HI,

 

I am after permitting only MS Intune and Windows Update - block all internet access.

I have followed the custom URL filtering as mentioned in the link below:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRfCAK&refURL=http%3A%2F%...

Created the custom url filter:

kams19_0-1597318380297.png

then created a policy allowing - web-browsing, ssl and ms-update

kams19_1-1597318419497.png

selected correct URL-category::

kams19_3-1597318525650.png

 

Time to Test: destination IP is for portal.manage.microsoft.com and it hits the correct policy

kams19_4-1597318560001.png

but when I try with google.com IP address, that also hits the same policy

kams19_2-1597318485271.png

From the above it seems that google.com will also be allowed?

I dont have an actual host to test the same, hence tested it from the Troubleshooting section of the firewall. 

To me it seems that the firewall is permitting any url being accessed over ssl, and ignoring the URL category.

 

The main reason for using custom URL filter is that I want to use wildcard FQDN.

Can someone suggest why the URL filtering is not taking effect.

 

Thanks.

 

0 Likes Likes
8 REPLIES 8

Remo
L7 Applicator

‎08-13-2020 07:28 AM

Hi @kams19 

With that rule theoreticaĺly every IP will match. Because of that you also configured the custom URL category. So when a host tries to connect to google.com, the tcp handshake will succed, but in the TLS handshake, the firewaĺl will see the hostname and from that point on the connection will no longer match your windows update rule and it will be dropped (except if you have some more rules that could match for that connection). In the policy match test, if you choose also the URL category, then the result will show what you actually expected.

kams19
L1 Bithead
In response to Remo

‎08-13-2020 07:39 AM

HI @Remo, Thanks for your reply, now I understand the logic behind this. I did select the URL category as you mentioned but I am getting this error now:

kams19_0-1597329551231.png

Any idea why this should happen?

0 Likes Likes

Remo
L7 Applicator
In response to kams19

‎08-13-2020 08:28 AM

@kams19 it looks like this is a bug. Only the paloalto url categories work and every custom url category leads to this error. I tested with PAN-OS 10.

0 Likes Likes

kams19
L1 Bithead
In response to Remo

‎08-13-2020 08:51 AM

@Remo 

For CLI, PA has mentioned the workaround as per https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLjeCAG 

But that is assuming multi vsys config. My case is single vsys and single virtual router. There is no option on GUI to select vsys and VR.

 

I believe tomorrow I should have someone on site and I will ask them to connect their laptop to verify this.

0 Likes Likes

Remo
L7 Applicator
In response to kams19

‎08-13-2020 09:28 AM

Hi @kams19 

Thanks for bringing this to my attention. With this I tried again. So if you manually add "vsys1+" in front of the URL category name, the test works and no longer shows an error. I also tested on a firewall with a single vsys - so there is only vsys1.

0 Likes Likes

kams19
L1 Bithead
In response to Remo

‎08-13-2020 09:34 AM

@Remo 

I dont have ssh connection to the firewall at the moment, trying to get my local laptop firewall sorted.

I dont think there is a way this can be done from GUI?

0 Likes Likes

Remo
L7 Applicator
In response to kams19

‎08-13-2020 09:44 AM - edited ‎08-13-2020 09:50 AM

What I meant was that you should add "vsys1+" in the GUI. At least in my case it was working in CLI and WebUI.

0 Likes Likes

kams19
L1 Bithead
In response to Remo

‎08-13-2020 10:31 AM

@Remo 

ok got it working on the Troubleshooting section- 

kams19_0-1597339513573.png

will see how the policy is applied in action tomorrow and update

 

0 Likes Likes
  • 11043 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks