Allow only MS Intune and Windows Update - block all internet access

Showing results for 
Search instead for 
Did you mean: 

Allow only MS Intune and Windows Update - block all internet access

L1 Bithead



I am after permitting only MS Intune and Windows Update - block all internet access.

I have followed the custom URL filtering as mentioned in the link below:

Created the custom url filter:


then created a policy allowing - web-browsing, ssl and ms-update


selected correct URL-category::



Time to Test: destination IP is for and it hits the correct policy


but when I try with IP address, that also hits the same policy


From the above it seems that will also be allowed?

I dont have an actual host to test the same, hence tested it from the Troubleshooting section of the firewall. 

To me it seems that the firewall is permitting any url being accessed over ssl, and ignoring the URL category.


The main reason for using custom URL filter is that I want to use wildcard FQDN.

Can someone suggest why the URL filtering is not taking effect.





Cyber Elite
Cyber Elite

Hi @kams19 

With that rule theoreticaĺly every IP will match. Because of that you also configured the custom URL category. So when a host tries to connect to, the tcp handshake will succed, but in the TLS handshake, the firewaĺl will see the hostname and from that point on the connection will no longer match your windows update rule and it will be dropped (except if you have some more rules that could match for that connection). In the policy match test, if you choose also the URL category, then the result will show what you actually expected.

HI @vsys_remo, Thanks for your reply, now I understand the logic behind this. I did select the URL category as you mentioned but I am getting this error now:


Any idea why this should happen?

@kams19 it looks like this is a bug. Only the paloalto url categories work and every custom url category leads to this error. I tested with PAN-OS 10.


For CLI, PA has mentioned the workaround as per 

But that is assuming multi vsys config. My case is single vsys and single virtual router. There is no option on GUI to select vsys and VR.


I believe tomorrow I should have someone on site and I will ask them to connect their laptop to verify this.

Hi @kams19 

Thanks for bringing this to my attention. With this I tried again. So if you manually add "vsys1+" in front of the URL category name, the test works and no longer shows an error. I also tested on a firewall with a single vsys - so there is only vsys1.


I dont have ssh connection to the firewall at the moment, trying to get my local laptop firewall sorted.

I dont think there is a way this can be done from GUI?

What I meant was that you should add "vsys1+" in the GUI. At least in my case it was working in CLI and WebUI.


ok got it working on the Troubleshooting section- 


will see how the policy is applied in action tomorrow and update


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!